Splunk Host header overrides host key from log messages

Question

How can I stop Splunk considering hostname "host" more important than "host" key?

Let's suppose that I have the following logs:

color = red ; host = localhost
color = blue ; host = newhost

The following query works fine:

index=myindex | stats count by color

but the following doesn't:

index=myindex | stats count by host

because instead of considering "host" being the key from the log, it sees the Host header as "host".

How can I deal with this?

Answer 1

When there are two fields with the same name one of them has to "win". In this case, it's the one Splunk defines before it processes the event itself. As you probably know, every event is given 4 fields at input time: index, host, source, and sourcetype. Data from the event won't override these unless specifically told to do so in the config files.

To override the settings, put this in your transforms.conf file

[sethost]
REGEX = host\s*=\s*(\w+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

You'll also need to reference the transform in your props.conf file

[mysourcetype]
TRANSFORMS-host = sethost

Answer 2

I would have thought this solution would be more prominent, but I found it buried deep in the Splunk docs.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Metrics/Search

You can use reserved fields such as "source", "sourcetype", or "host" as dimensions. However, when extracted dimension names are reserved names, the name is prefixed with "extracted_" to avoid name collision. For example, if a dimension name is "host", search for "extracted_host" to find it.

So, in your case:

index=myindex | stats count by extracted_host