https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218249#M96154 <P>Hi hanijamal,<BR /> I don't know if you can intervene on your forwarders, but the hostname is setted in two conf files sited in $SPLUNK_HOME/etc/system/local:</P> <UL> <LI>output.conf</LI> <LI>inputs.conf Your should verify what is the hostname you receive.</LI> </UL> <P>If you cannot modify hostname in your forwarders, the only way is to override hosts using props.conf and transforms.conf (see <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration):">https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration):</A></P> <P>Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 08:33:46 GMT gcusello 2017-01-04T08:33:46Z https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218247#M96152 <P>hey guys, i am pretty sure we have something in place which is stripping the hostname from the fqdn. just cannot figure it out.</P> <P>for example host=ab12345.domain.com gets stripped and when searched only shows host=ab12345</P> <P>we have a few thousand hosts that are coming in fine, however a handful show up WITH fqdn when i make a search.</P> <P>why would only a few hosts be showing with fqdn when 99% are showing in search fine.</P> <P>background: we have a host data coming in from ucmd via lookup</P> <P>thanks</P> Wed, 04 Jan 2017 03:06:46 GMT https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218247#M96152 hanijamal 2017-01-04T03:06:46Z https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218248#M96153 <P>transforms.conf and props.conf might be the right place to start with and from. Please have a look here:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration">https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration</A></P> Wed, 04 Jan 2017 06:01:25 GMT https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218248#M96153 gokadroid 2017-01-04T06:01:25Z https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218249#M96154 <P>Hi hanijamal,<BR /> I don't know if you can intervene on your forwarders, but the hostname is setted in two conf files sited in $SPLUNK_HOME/etc/system/local:</P> <UL> <LI>output.conf</LI> <LI>inputs.conf Your should verify what is the hostname you receive.</LI> </UL> <P>If you cannot modify hostname in your forwarders, the only way is to override hosts using props.conf and transforms.conf (see <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration):">https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Overridedefaulthostassignments#Configuration):</A></P> <P>Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 08:33:46 GMT https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218249#M96154 gcusello 2017-01-04T08:33:46Z https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218250#M96155 <P>for logs which are not yet indexed, you can use props and transform, as mentioned above. </P> <P>for the data which is already indexed, you can use regular expressions to pick only the hostnames</P> <PRE><CODE>your search | rex field=_raw "host=(?&lt;hostname&gt;\w+)\." | table _raw hostname </CODE></PRE> Wed, 04 Jan 2017 09:23:49 GMT https://community.splunk.com/t5/Getting-Data-In/strip-fqdn-from-hostname-field/m-p/218250#M96155 inventsekar 2017-01-04T09:23:49Z