Change host values after indexing
At some point after indexing, you might discover that the host value for some of your events is not correct. For example, you might be collecting some Web proxy logs into a directory directly on your Splunk Enterprise server and you add that directory as an input without remembering to override the value of the host field, which results in the host value being the same as your Splunk Cloud host.
If something like that happens, here are your options, from easiest to hardest:
- Delete and reindex the data. See Delete and reindex the data in the Splunk Enterprise Index Manual.
- Use a search to delete the specific events that have the incorrect host value. See Remove data from Splunk in the Splunk Enterprise Index Manual.
- Tag the incorrect host values. and use the tag to search. See Tag Alias Field Values in the Splunk Enterprise Knowledge Manager Manual
- Set up a Comma-separated values (CSV) lookup to look up the host, map it in the lookup file to a new a field name, and use the new name in searches. See Add fields from etxternal data sources to look up the host, map it in the lookup file to a new field name, and use the new name in searches.
- Alias the host field to a new field, such as
temp_host. See Alias the host field. Then, set up a CSV lookup to look up the correct host name using the name
temp_host, then have the lookup overwrite the original
hostwith the new lookup value (using the
OUTPUToption when defining the lookup).
Of these options, deleting and reindexing gives you the best performance and is the easiest. If you cannot delete and reindex the data, then the last option provides the cleanest alternative.
Set host values based on event data
Why source types matter
This documentation applies to the following versions of Splunk Cloud™: 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7