https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73098#M18290 <P>Correct , and there is also a "host_segment" option to consider.</P> Thu, 16 Feb 2012 21:39:14 GMT Damien_Dallimor 2012-02-16T21:39:14Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73094#M18286 <P>I'm getting some unexpected results when I run the following query for hosts:</P> <P><STRONG>index=mydata | top host</STRONG></P> <P>I expect to see a list of the top hosts in my index however I get back information such as eth0, eth1, sit0, sum, etc in my hosts column. This data is not accurate. When I click on one of the host fields to see get more information about the source, I see...</P> <P><STRONG>host=0.00 sourcetype=syslog source=/var/log/sa/sar15</STRONG> </P> <P>What is causing this, and more importantly, how to stop it? Thanks in advance!</P> Thu, 16 Feb 2012 20:58:37 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73094#M18286 DTERM 2012-02-16T20:58:37Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73095#M18287 <P>It looks like you a monitoring a file....how are you specifying your host field extraction ?</P> Thu, 16 Feb 2012 21:05:27 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73095#M18287 Damien_Dallimor 2012-02-16T21:05:27Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73096#M18288 <P>I love the MARSHALL back ground!! Excellent. Regarding the host field extraction, how do I answer that? What file holds that information?</P> Thu, 16 Feb 2012 21:13:19 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73096#M18288 DTERM 2012-02-16T21:13:19Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73097#M18289 <P>To jump in, you should look at the inputs.conf file and "host_regex" option. So is "sar15" the host?</P> Thu, 16 Feb 2012 21:36:54 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73097#M18289 MHibbin 2012-02-16T21:36:54Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73098#M18290 <P>Correct , and there is also a "host_segment" option to consider.</P> Thu, 16 Feb 2012 21:39:14 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73098#M18290 Damien_Dallimor 2012-02-16T21:39:14Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73099#M18291 <P>[monitor:///var/log]<BR /> sourcetype = syslog<BR /> disabled = false<BR /> host = myhost</P> <P>That is a paragraph in my inputs.conf file. Do I just need to remove that entire paragraph?</P> <P>Thanks,</P> Thu, 16 Feb 2012 22:01:50 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73099#M18291 DTERM 2012-02-16T22:01:50Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73100#M18292 <P>I would change the sourcetype to something else.<BR /> ie: "my_log_file"</P> <P>By using the "syslog" sourcetype , the default syslog host field transforms are getting invoked on your events.</P> <P>That's why your host field is getting filled incorrectly.</P> <P>from etc/system/default</P> <P>props.conf</P> <P>[syslog]<BR /> ...<BR /> TRANSFORMS = syslog-host<BR /> ...</P> <P>transforms.conf</P> <P>[syslog-host]<BR /> DEST_KEY = MetaData:Host<BR /> REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s<BR /> FORMAT = host::$1</P> Mon, 28 Sep 2020 11:24:50 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73100#M18292 Damien_Dallimor 2020-09-28T11:24:50Z https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73101#M18293 <P>sar15 is not the host, just FYI... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 21 Feb 2012 20:59:27 GMT https://community.splunk.com/t5/Splunk-Search/host-lookup/m-p/73101#M18293 DTERM 2012-02-21T20:59:27Z