Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add field to all events from host

renems
Communicator
‎07-17-2014 02:35 AM

Hi There,

I am working on an enterprise installation. At the moment we have 1500+ hosts sending data. I'd like each host to tell to which client it belongs.

In the default splunk setup, the input.conf the hostname is specified likewise:
[default]
host =

Since each host has it's own app('s), I might as well add to the input.conf in the specific apps:
[default]
client =

Unfortunately, this won't work. Why? Is the host field treated differently? I'm aware I can add fields in props/transforms, or use tags, but that adds up to the level of maintenance (props/conf because it is set per sourcetype, tags because I have to modify it with each new host added to splunk).

Any thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-17-2014 04:24 AM

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-17-2014 04:24 AM

You can't just make up inputs.conf keys such as client, see http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/inputsconf for a reference of available keys.

You could prefix your hosts with the client, e.g. this:

[default]
host = client_actualhost

Either keep that field as-is, or define transforms.conf rules to pick apart these two values to store the client in a custom indexed field and reduce the host to actualhost.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...