Change host values after indexing
At some point after indexing, you might discover that the host value for some of your events is not correct. For example, you might be collecting some Web proxy logs into a directory directly on your Splunk Enterprise server and you add that directory as an input without remembering to override the value of the host field, which results in the host value being the same as your Splunk Enterprise host.
If something like that happens, here are your options, from easiest to hardest:
- Delete and reindex the data.
- Use a search to delete the specific events that have the incorrect host value, and reindex those events.
- Tag the incorrect host values, and use the tag to search.
- Set up a Comma-separated values (CSV) lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches.
- Alias the host field to a new field (such as
temp_host), set up a CSV lookup to look up the correct host name using the name
temp_host, then have the lookup overwrite the original
hostwith the new lookup value (using the
OUTPUToption when defining the lookup).
Of these options, deleting and reindexing gives you the best performance and is the easiest. If you cannot delete and reindex the data, then the last option provides the cleanest alternative.
Set host values based on event data
Why source types matter
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101