Handle incorrectly-assigned host values
At some point, you might discover that the host value for some of your events is incorrect for some reason. For example, you might be scraping some Web proxy logs into a directory directly on your Splunk Enterprise server and you add that directory as an input without remembering to override the value of the host field, causing all those events to think their original host value is the same as your Splunk Enterprise host.
If something like that happens, here are your options, in order of complexity:
- Delete and reindex the entire data set.
- Use a search to delete the specific events that have the incorrect host value, and reindex those events.
- Tag the incorrect host values, and use the tag to search.
- Set up a CSV lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches.
- Alias the host field to a new field (such as
temp_host), set up a CSV lookup to look up the correct host name using the name
temp_host, then have the lookup overwrite the original
hostwith the new lookup value (using the
OUTPUToption when defining the lookup).
Of these options, the last option will look the nicest if you can't delete and reindex the data, but deleting and reindexing the data will give the best performance.
Change host values after indexing
Why source types matter
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14