For some reason, splunk is showing one host as two, one as DC01 (example) and dc01. Is there any way to merge them?
There are some known issues (bugs) regarding how hostnames are retrieved. Some of this is fairly difficult to control, e.g. if Splunk receives a logfile with dc01.fqdn in it, it would probably be difficult to normalize that. It could be a bad idea to just lop off the domain. However, there are cases where Splunk data sources (e.g. perfmon or WMI) don't use a consistent means to gather the hostname, which is stupid and hopefully being resolved soon. All hostnames should be lowercased and the same method should be used to retrieve the hostname when dealing with scripted inputs. I'm not sure how fqdn vs. short name should be handled though -- I think you're left with 2 entries in that case.
On the upside, searches are not case sensitive for field values, so "host=dc01" will retrieve events for dc01 and DC01".
This has also been an issue for me. While collecting logs via WMI, sometimes a machine that has a hostname of dc01 will be pulled into Splunk as dc01, DC01, or even dc01.domain.org. As mw stated, searches are not case sensitive, so i can search for all logs from this host by using host="dc01*".
Yeah i guess its not that big of a deal. Is there any place where you can send a bug repport?
Its a bit more strange that the windows host dont show up in the windows app, just the search upp, you see all the WineventLog:Security etc but just in the search app.
Bugs can be submitted here:
In my humble opinion, i didn't see much point to using the Windows app (maybe i did not spend enough time with it). Most of the default searches provided did not work with our data so i did everything from scratch in the search app. I use the search app for almost everything.
Yeah, that one's a pain. I just use
lower() the field that's causing me trouble:
... | eval host=lower(host)
As stated, search qualifiers will ignore case, but this will help with the stats grouping.