Handle incorrectly-assigned host values
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Handle incorrectly-assigned host values
At some point, you may discover that the host value for some of your events might be set incorrectly for some reason. For example, you might be scraping some Web proxy logs into a directory directly on your Splunk server and add that directory as an input to Splunk without remembering to override the value of the host field, causing all those events to think their original host value is the same as your Splunk host.
If something like that happens, here are your options, in order of complexity:
- Delete and reindex the entire index
- Use a search to delete the specific events that have the incorrect host value and reindex those events
- Tag the incorrect host values with a tag, and search with that
- Set up a static field lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches
- Alias the host field to a new field (such as
temp_host), set up a static field lookup to look up the correct host name using the nametemp_host, then have the lookup overwrite the originalhostwith the new lookup value (using theOUTPUToption when defining the lookup)
Of these options, the last option will look the nicest if you can't delete and reindex the data, but deleting and reindexing the data will always give the best performance.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.