I am getting two separate values in host field for the same host!
Both the values are:
Hostname and hostname.
I am not sure why it is coming because I am getting logs from only one host via Splunk Universal Forwarder but still in splunk I am getting two different values for them.
You will need to create/edit the following files in $SPLUNK_HOME/etc/apps//local/:
NOTE: the following is just an example and should be modified to meet your requirements, using the relevant spec files for assistance:
[yourSourceTypeHere] TRANSFORM-hostnametrans = hostoverride
[hostoverride] REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?P<host>[^ ]) FORMAT = host::$1 DEST_KEY = MetaData:Host
You will need to restart Splunk to apply this change.
The following docs should be of use here...
I am aware with the host change methods. And I am not looking for solution to the problem.
What i would like to know is that the reason behind the problem. Because the logs are being forwarded from only 1 server that is also via Universal Forwarder. Then why am I getting two different host values.
No I am not overriding the data anywhere. And the installation of Universal Forwarder was also through GUI. So not overriding through any configuration files.
Also the data I am fetching are simple Windows Log Events which doesn't have other
host keyword which can override the data.