Security

Host name in inputs.conf file

skibum
Engager

I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo

this is ignored?

Is this just because I am using udp instead of tcp?

gkanapathy
Splunk Employee
Splunk Employee

Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.

Genti
Splunk Employee
Splunk Employee

.#* .# TCP: .#*

[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.

.#* .# UDP: .#*

[udp://] .* Similar to TCP, except that it listens on a UDP port.

all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:

.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//10.1.1.10/var/log/apache/access.log."

[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log

  • need to use foo:514
  • need to use host = foo

Lastly, if you actually want to see it being indexed as host = foo instead of host = 1.2.3.4 you need to set the flag connection_host = none

.gz

0 Karma

bwooden
Splunk Employee
Splunk Employee

There are a few places the host value may be set.
Is your inputs.conf on the indexer?

Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...