Splunk Enterprise Security

Splunk Enterprise Security: Expected Host Not Reporting finds hosts that are reporting with a different name. How to fix this?

Path Finder

Expected Host Not Reporting finds results for hosts that are reporting with a different name; for instance, the short DNS name rather than the fqdn, or the IP address rather than the hostname.
Is there a way to fix this?


what does your hostname -f return?

Add your FQDN on the /etc/hosts, that should provide you the FQDN.

Also, you can add "host = hostname" field in the inputs.conf on the forwarder

0 Karma


I think @edonze is looking for a solution to the Correlation Rule "Expected Host Not Reporting " in Enterprise Security App. We are also facing the same issue and thus we are getting lot of false positive alerts.

0 Karma


Check out asset table on your ES app.
This table contains field called "is_expected" which determines if host is going to be reported by the mentioned correlation search. If you are getting incorrect values as hostname check the asset table and update it as required.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!