Handle incorrectly-assigned host values
At some point, you might discover that the host value for some of your events is incorrect for some reason. For example, you might be scraping some Web proxy logs into a directory directly on your Splunk server and you add that directory as an input to Splunk without remembering to override the value of the host field, causing all those events to think their original host value is the same as your Splunk host.
If something like that happens, here are your options, in order of complexity:
- Delete and reindex the entire index.
- Use a search to delete the specific events that have the incorrect host value, and reindex those events.
- Tag the incorrect host values, and use the tag to search.
- Set up a static field lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches.
- Alias the host field to a new field (such as
temp_host), set up a static field lookup to look up the correct host name using the name
temp_host, then have the lookup overwrite the original
hostwith the new lookup value (using the
OUTPUToption when defining the lookup).
Of these options, the last option will look the nicest if you can't delete and reindex the data, but deleting and reindexing the data will give the best performance.
Set host values based on event data
Why source types matter (a lot)
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18