Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Change host values after indexing

At some point after indexing, you might notice that the host value for some of your events isn't correct. For example, you might be collecting Web proxy logs into a directory directly on your Splunk platform instance and you add that directory as an input without remembering to override the value of the host field, which results in the host value being the same as your Splunk platform instance.

If something like that happens, here are your options, from easiest to hardest. You can do all of these with a Splunk Cloud Platform instance:

  • Delete and reindex the data. See Remove indexes and indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  • Use a search to delete the specific events that have the incorrect host value and reindex those events. See Remove an index entirely in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  • Tag the incorrect host values and use the tag to search. See Tag field-value pairs in Search in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  • Set up a comma-separated values (CSV) lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches. See Introduction to lookup configuration in the Splunk Enterprise Knowledge Manager Manual.
  • Create an alias for the host field to a new field such as temp_host, set up a CSV lookup to look up the correct host name using the name temp_host, and then have the lookup overwrite the original host with the new lookup value using the OUTPUT option when defining the lookup. See Create field aliases in Splunk Web and Introduction to lookup configuration in the Splunk Enterprise Knowledge Manager Manual.

Of these options, deleting and reindexing gives you the best performance and is the easiest to do. If you can't delete and reindex the data, then the last option provides the fastest alternative.

For more information about overriding the value of a host field, see Override the value of the host field.

Last modified on 27 October, 2021
PREVIOUS
Set host values based on event data
  NEXT
Why source types matter

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.5, 8.0.10, 7.2.1, 7.0.1, 8.0.4, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 8.0.6, 8.0.7, 8.0.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters