Change host values after indexing
At some point after indexing, you might notice that the host value for some of your events isn't correct. For example, you might be collecting Web proxy logs into a directory directly on your Splunk platform instance and you add that directory as an input without remembering to override the value of the host field, which results in the host value being the same as your Splunk platform instance.
If something like that happens, here are your options, from easiest to hardest. You can do all of these with a Splunk Cloud Platform instance:
- Delete and reindex the data. See Remove indexes and indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Use a search to delete the specific events that have the incorrect host value and reindex those events. See Remove an index entirely in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Tag the incorrect host values and use the tag to search. See Tag field-value pairs in Search in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Set up a comma-separated values (CSV) lookup to look up the host, map it in the lookup file to a new field name, and use the new name in searches. See Introduction to lookup configuration in the Splunk Enterprise Knowledge Manager Manual.
- Create an alias for the host field to a new field such as
temp_host
, set up a CSV lookup to look up the correct host name using the nametemp_host
, and then have the lookup overwrite the originalhost
with the new lookup value using theOUTPUT
option when defining the lookup. See Create field aliases in Splunk Web and Introduction to lookup configuration in the Splunk Enterprise Knowledge Manager Manual.
Of these options, deleting and reindexing gives you the best performance and is the easiest to do. If you can't delete and reindex the data, then the last option provides the fastest alternative.
For more information about overriding the value of a host field, see Override the value of the host field.
Set host values based on event data | Why source types matter |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!