https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/553587#M157172 <P>I'm not sure if I understood your question correctly, but basically you should do it on SPL like "eval host=orig_host", when you are populating the new index. &nbsp;If you are populating the new index directly from UF then you must use props.conf and transforms.conf and there EVAL_INGEST = host:=orig_host.</P><P>You can look those from&nbsp;<A href="https://conf.splunk.com/files/2020/slides/PLA1154C.pdf" target="_blank">https://conf.splunk.com/files/2020/slides/PLA1154C.pdf</A></P><P>Can you share those SPL/conf files etc. how you are currently doing it?</P><P>r. Ismo</P> Fri, 28 May 2021 20:45:51 GMT isoutamo 2021-05-28T20:45:51Z https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/553540#M157158 <P>I have a report that is getting events from an existing index, processing the data and indexing again to another custom Index I've created.</P><P>The original index have the "host" field populated with the indexer hostname. I need to replace this value with the value of another field. For that (and more) reason I've created a new index and a report, schedule and configure it to populate the new index. The report shows the information exactly as I need.</P><P>The problem is when the report is being indexed to the new index: The "host" field is being populated with the indexer as value (as in original index) and the value that I need to be in host field is in another field automatically created and named "orig_host".</P><P>How can I fix that?&nbsp;</P> Fri, 28 May 2021 15:04:13 GMT https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/553540#M157158 denissotoacc 2021-05-28T15:04:13Z https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/553587#M157172 <P>I'm not sure if I understood your question correctly, but basically you should do it on SPL like "eval host=orig_host", when you are populating the new index. &nbsp;If you are populating the new index directly from UF then you must use props.conf and transforms.conf and there EVAL_INGEST = host:=orig_host.</P><P>You can look those from&nbsp;<A href="https://conf.splunk.com/files/2020/slides/PLA1154C.pdf" target="_blank">https://conf.splunk.com/files/2020/slides/PLA1154C.pdf</A></P><P>Can you share those SPL/conf files etc. how you are currently doing it?</P><P>r. Ismo</P> Fri, 28 May 2021 20:45:51 GMT https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/553587#M157172 isoutamo 2021-05-28T20:45:51Z https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/554088#M157300 <P>Hi Soutamo. Thanks for your response. I am populating the new index with a report that extract and process data from another existing index.<BR /><BR />My search/report looks like the following:</P><P>&nbsp;</P><LI-CODE lang="python">index=OldIndex #SOME OTHER COMMANDS THAT WE NEED TO EXECUTE | eval host = SomeOtherField | fields + host, metric_label, metric_value | collect index=NewIndex</LI-CODE><P>&nbsp;</P><P><BR />The result event looks exactly as I need: Only 3 fields, and host field populated correctly. I've scheduled it to run every 5 minutes.<BR />But then, in the "NewIndex" the data is being populated like "OldIndex": with the same fields and the "host" with the original value.<BR /><BR />What is the problem?</P> Wed, 02 Jun 2021 12:03:18 GMT https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/554088#M157300 denissotoacc 2021-06-02T12:03:18Z https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/554097#M157302 <P>Hi</P><P>you should use host=&lt;your host&gt; etc with collect. See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Collect" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Collect</A></P><P>r. Ismo</P> Wed, 02 Jun 2021 13:17:40 GMT https://community.splunk.com/t5/Splunk-Search/host-field-being-populated-automatically-when-indexing-a-report/m-p/554097#M157302 isoutamo 2021-06-02T13:17:40Z