https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463871#M79997 <P>Yes, this is normal default behavior but it is definitely incorrect for your use case. You need to override the <CODE>host</CODE> value and take it from inside of the event or from the connection. See here for how we do it:<BR /> <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A></P> Wed, 18 Sep 2019 17:44:37 GMT woodcock 2019-09-18T17:44:37Z https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463869#M79995 <P>Hi,</P> <P>Tanium is sending logs to our only syslog server and we have created a folder in that server (let us say a) so in Splunk cloud it should show as host = a, but in Splunk cloud, we could see hostname containing different syslog servers. Is it a bug?</P> Mon, 26 Aug 2019 12:34:22 GMT https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463869#M79995 VijaySrrie 2019-08-26T12:34:22Z https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463870#M79996 <P>It depends on how the data is being handled during index time. You can change the host field in index time with props/transforms confs and you can also set the host as a segment of the path your monitoring. </P> <P>Several TAs bring some kind of field manipulation out of the box (e.g. you index data with source type pan_logs and it ends up as pan:traffic, pan:system, etc). Same logic can be applied to other fields in index time (e.g. index (for data routing), host (to correctly assign the host name), etc. )</P> Mon, 26 Aug 2019 12:42:02 GMT https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463870#M79996 diogofgm 2019-08-26T12:42:02Z https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463871#M79997 <P>Yes, this is normal default behavior but it is definitely incorrect for your use case. You need to override the <CODE>host</CODE> value and take it from inside of the event or from the connection. See here for how we do it:<BR /> <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A></P> Wed, 18 Sep 2019 17:44:37 GMT https://community.splunk.com/t5/Getting-Data-In/Retrieving-logs-from-all-hosts-in-Splunk-cloud-instead-of-one/m-p/463871#M79997 woodcock 2019-09-18T17:44:37Z