Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog server "host" field question

adamblock2
Path Finder
‎01-13-2016 08:55 AM

The Splunk documentation defines “host” as being “an event host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated.” In the case of a syslog server, is it best for the “host” field to contain the hostname of the syslog server, or could/should it contain the hostname of the host where the events are generated?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎01-14-2016 08:07 AM

The host field should absolutely be the place where the event occurred and not anything else in the delivery pipeline to splunk.

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 09:07 AM

Syslog server will be an intermediate location between Splunk and actual server where events were generated. I would use the hostname of the server where events where generated (this should be logged within each event data itself) as host field, mostly using a transforms.conf to overwrite metadata field host.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/overridedefaulthostassignments

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...