Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add field to all events from host

renems
Communicator
‎07-17-2014 02:35 AM

Hi There,

I am working on an enterprise installation. At the moment we have 1500+ hosts sending data. I'd like each host to tell to which client it belongs.

In the default splunk setup, the input.conf the hostname is specified likewise:
[default]
host =

Since each host has it's own app('s), I might as well add to the input.conf in the specific apps:
[default]
client =

Unfortunately, this won't work. Why? Is the host field treated differently? I'm aware I can add fields in props/transforms, or use tags, but that adds up to the level of maintenance (props/conf because it is set per sourcetype, tags because I have to modify it with each new host added to splunk).

Any thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-17-2014 04:24 AM

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-17-2014 04:24 AM

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...