Why am I seeing duplicate field values under inter...

cc3658 · ‎01-30-2018

Can anyone tell my why I am see duplicate host values (1 uppercase and 1 lowercase) in my interesting fields and how to fix it. I have checked inputs.conf and server.conf, they both show the uppercase version. I am not sure where this second host name is originating from.

migullmills · ‎04-04-2022

Not sure if this is still needing answers after two years, but for anyone searching. I think Ingesteval fixes this as the sourcetypes you are ingesting are coming in with multiple cases. So identify one that is coming in upper and change it to lower : Start by editing

transforms.conf

[host]
INGEST_EVAL = host=lower(host)

props.conf

[my_sourcetype]
TRANSFORMS = host

fields.conf

[host]

INDEXED = True

This will make the selected source come across as lower (can also be eval to upper). Find each sourcetype coming in as upper case and bring it to lower. Or vice versa for upper
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/IngestEval

lakshman239 · ‎03-08-2018

yes, you can override in transforms.conf with the values you want or you can use a regex to extract from the event.
[yoursourcetype]
REGEX = (.+)
DEST_KEY = MetaData:Host
FORMAT = host:my_host

micahkemp · ‎01-30-2018

If the sourcetype is syslog, the syslog-host transform will set the hostname based on the value in the event itself.

For the events that have the unexpected host value, what is the sourcetype, and can you paste the _raw values for them as well?

cc3658 · ‎03-08-2018

Yes, the sourcetype is syslog. How would I correct it? A change to the syslog-host transform or a conf file on the host itself? Thanks!

niketn · ‎01-30-2018

@cc3658 check the source and also sourcetype for the two hosts.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"