https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393037#M6135 <P>Are you working on an all-in-one Splunk instance or a distributed environment?</P> <P>I would also check my inputs.conf to see if a host=127.0.0.1 parameter was also defined for the path you want to monitor.</P> Tue, 28 May 2019 15:28:53 GMT uhaq 2019-05-28T15:28:53Z https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393036#M6134 <P>My data consists of a hierarchical zip file. Although the hostname is always located in the fifth and last segment of the path, entering 5 at index time for "Segment in path" did not work. Instead, the host is always displayed as 127.0.0.1. <BR /> For reference, the source path looks similar to this: <STRONG>files.zip:./files/dir/logs/hostname</STRONG><BR /> I have also tried many other numbers, including -1 in the hope that it could count backwards.<BR /> Even when uploading one <STRONG>single log file</STRONG> which just has the hostname as the filename, and entering segment in path = 1, the hostname was not recognised.<BR /> I don't have access to edit props.conf, transforms.conf etc., so it would need to work from the web interface.</P> Tue, 28 May 2019 14:22:50 GMT https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393036#M6134 splunklearner12 2019-05-28T14:22:50Z https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393037#M6135 <P>Are you working on an all-in-one Splunk instance or a distributed environment?</P> <P>I would also check my inputs.conf to see if a host=127.0.0.1 parameter was also defined for the path you want to monitor.</P> Tue, 28 May 2019 15:28:53 GMT https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393037#M6135 uhaq 2019-05-28T15:28:53Z https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393038#M6136 <P>I have found a workaround by creating a field transformation with the below regex, and a corresponding field extraction.<BR /> files.zip:./files/.*/.*/(?&amp;lthostname&amp;gt[\w-]*)<BR /> Then, created an alias for hostname AS host, i.e. overwriting field values.<BR /> It's not ideal because now the search for the host is doubled up in two fields, so I'm still interested if there's a solution for the segment in path method at index time.<BR /> - Sorry for all the edits, I had to figure out how to display &amp;lt, &amp;gt and *</P> Tue, 28 May 2019 15:36:51 GMT https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393038#M6136 splunklearner12 2019-05-28T15:36:51Z https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393039#M6137 <P>Yes, it's single instance.<BR /> There was a line saying host=splunk in local/inputs.conf which I deleted and then restarted splunk, but it made no difference. I found in the web app server settings &gt; general settings that a default host was set to splunk, which I deleted and then restarted, but after restarting the setting just reappeared. The segment in path still doesn't work.</P> Wed, 29 May 2019 08:47:28 GMT https://community.splunk.com/t5/Knowledge-Management/Unable-to-recognize-hostname-from-source/m-p/393039#M6137 splunklearner12 2019-05-29T08:47:28Z