https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102916#M21610 <P>Can I get some help with a search or report?</P> <P>We have an issue where some hosts were renamed or cloned and Splunk was not re-installed so the Host does not match the ComputerName.</P> <P>I know that I can simply update the $SPLUNK_HOME/etc/system/local files to fix the situation but I need to be able to identify these machines out of 500+ hosts and monitor so that it doesn't happen again.</P> <P>Can someone please post a search that shows all hosts where the "Host" field does NOT match the "ComputerName" field?</P> <P>I have tried and tried and can't seem to track down the correct search language. It seems simple enough but I'm stuck. Maybe I'm over-thinking it.</P> <P>Thanks,</P> Mon, 22 Jul 2013 17:50:02 GMT loatswil 2013-07-22T17:50:02Z https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102916#M21610 <P>Can I get some help with a search or report?</P> <P>We have an issue where some hosts were renamed or cloned and Splunk was not re-installed so the Host does not match the ComputerName.</P> <P>I know that I can simply update the $SPLUNK_HOME/etc/system/local files to fix the situation but I need to be able to identify these machines out of 500+ hosts and monitor so that it doesn't happen again.</P> <P>Can someone please post a search that shows all hosts where the "Host" field does NOT match the "ComputerName" field?</P> <P>I have tried and tried and can't seem to track down the correct search language. It seems simple enough but I'm stuck. Maybe I'm over-thinking it.</P> <P>Thanks,</P> Mon, 22 Jul 2013 17:50:02 GMT https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102916#M21610 loatswil 2013-07-22T17:50:02Z https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102917#M21611 <P>For Windows: if (1) you are indexing the Windows System Event log and (2) the event log contains a field named ComputerName, you could do this:</P> <PRE><CODE>sourcetype="WinEventLog:System" | where upper(host)!=upper(ComputerName) | dedup host ComputerName | table host ComputerName </CODE></PRE> <P>For Linux, you need to find a log file that contains the host name, and run a similar search.</P> Mon, 22 Jul 2013 18:41:50 GMT https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102917#M21611 lguinn2 2013-07-22T18:41:50Z https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102918#M21612 <P>Hi I have this problem in my enviorment but the search didn't work.</P> <P>The host=myhost the Computername=myhost.network.com</P> <P>this shows in the mismatch above.</P> <P>I tried this:<BR /> <CODE>sourcetype="WinEventLog:System” <BR /> | rex "ComputerName\=(?&lt;computerName&gt;.*)\.network"<BR /> | where upper(host)!=upper(computerName)<BR /> | dedup host computerName<BR /> | table host computerName</CODE></P> <P>But it misses the ones where Computer name dosn't not have the FQDN.</P> <P>Any sugestions on how this would work for both conditions where the ComputerName is FQDN OR ComputerName is netbios?</P> Thu, 12 Sep 2013 18:39:41 GMT https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102918#M21612 hartfoml 2013-09-12T18:39:41Z https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102919#M21613 <P>I even tried this but the eval command didn't work</P> <P><CODE>sourcetype="WinEventLog:System" <BR /> | EVAL computerName=if(ComputerName="*.network.*",regex=ComputerName\=(?)\.network,ComputerName)<BR /> | where upper(host)!=upper(computerName)<BR /> | dedup host computerName<BR /> | table host computerName index</CODE></P> Thu, 12 Sep 2013 18:52:05 GMT https://community.splunk.com/t5/Getting-Data-In/Host-and-ComputerName-Mismatch-Search/m-p/102919#M21613 hartfoml 2013-09-12T18:52:05Z