https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218879#M43005 <P>I am a network admin. I followed the documentation on how to connect an F5 load-balancer, Cisco ASA, and Checkpoint Firewall. The only way I could validate logs were making it to the Splunk server was with a packet capture. All searches initially failed. In "Data Summary, my ASA is not listed. The only way I can see any logs is with index=%ASA sourcetype="cisco:asa". I found my F5 listed by IP and clicking on that host DOES show logs. I found my Checkpoint listed by IP. Clicking on that host fails to bring up anything. It is also listed by hostname but nothing comes up with that either. Windows servers do show up by host name and they show results. There are also host names titled 2016, EDT, CST, INFO, UTC, Version, WARN. What are those? They aren't hosts as I know it. This is a mess. How does Splunk define a "host"? We are using Splunk 6.5 - Single Node.</P> Wed, 04 Jan 2017 19:30:27 GMT olsonc58 2017-01-04T19:30:27Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218879#M43005 <P>I am a network admin. I followed the documentation on how to connect an F5 load-balancer, Cisco ASA, and Checkpoint Firewall. The only way I could validate logs were making it to the Splunk server was with a packet capture. All searches initially failed. In "Data Summary, my ASA is not listed. The only way I can see any logs is with index=%ASA sourcetype="cisco:asa". I found my F5 listed by IP and clicking on that host DOES show logs. I found my Checkpoint listed by IP. Clicking on that host fails to bring up anything. It is also listed by hostname but nothing comes up with that either. Windows servers do show up by host name and they show results. There are also host names titled 2016, EDT, CST, INFO, UTC, Version, WARN. What are those? They aren't hosts as I know it. This is a mess. How does Splunk define a "host"? We are using Splunk 6.5 - Single Node.</P> Wed, 04 Jan 2017 19:30:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218879#M43005 olsonc58 2017-01-04T19:30:27Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218880#M43006 <P>The Splunk definition of host can be found here, with details how Splunk assigns it.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Abouthosts">http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Abouthosts</A></P> <P>About the sample values like 2016, EDT, CST... in your case, it seems a wrong regex being used to capture/assign host values. </P> Wed, 04 Jan 2017 20:09:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218880#M43006 somesoni2 2017-01-04T20:09:20Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218881#M43007 <P>Your index "ASA" is not listed in Data Summary because you need to add it into "indexes searched by default". <BR /> That's why you have no results when you trying to search without pointing an index name.<BR /> Сheck "Indexes searched by default" in Access controls-&gt;Roles <BR /> always after you create new index.</P> Wed, 11 Jan 2017 12:49:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-define-a-host/m-p/218881#M43007 kalianov 2017-01-11T12:49:24Z