Solved: Add field to all events from host

renems · ‎07-17-2014

Hi There,

I am working on an enterprise installation. At the moment we have 1500+ hosts sending data. I'd like each host to tell to which client it belongs.

In the default splunk setup, the input.conf the hostname is specified likewise:
[default]
host =

Since each host has it's own app('s), I might as well add to the input.conf in the specific apps:
[default]
client =

Unfortunately, this won't work. Why? Is the host field treated differently? I'm aware I can add fields in props/transforms, or use tags, but that adds up to the level of maintenance (props/conf because it is set per sourcetype, tags because I have to modify it with each new host added to splunk).

Any thoughts?

martin_mueller · ‎07-17-2014

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

View solution in original post

martin_mueller · ‎07-17-2014

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

Add field to all events from host

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!