The right question to ask is: What methods are used to ingest those sources showing "unassigned"? Yes, your admin and source developers should make sure that Splunk gets host field in any source because this is a required base field for Splunk. In most cases, Splunk will try to decipher host from source; sometimes it will even use the index server as host. But yes, there are ways to defeat Splunk no matter what the server do. Getting Data In contains information about how to correctly configure sources. There's also a dedicated forum about Getting Data In. Good luck.
@yuanliu YES. That's the answer I'm looking for (Splunk gets host field in any source because this is a required base field for Splunk). Do you have any link for Splunk documentation to indicate the general rules for the host field? I'm trying to convince the source developers to assign a value to the host field for all feeds.
Thank you so much.
This is from the Getting Data In document linked above: Configure host values. (Each data source is different.)
It is possible that those "unassigned" is populated by some special rule (like calculated field). In the raw feed, host is perhaps blank. In that case, when you group by host, those records will not show. That tstats would then be equivalent to
index=aindex host=*
| stats count by host,sourcetype,index
This can be a test to detect such a condition.
index=aindex NOT host=*
| stats count by sourcetype, index
There is no host field in any of those raw messages. It looks like Splunk assigned "unassigned" to the host field if it's blank.
What's the general rules for the host field parsing in Splunk? Should any feed be assigned a value to host field (if it's blank)?
Will assigning a value to the host field (if it's blank) fix the tstats search problem?
The right question to ask is: What methods are used to ingest those sources showing "unassigned"? Yes, your admin and source developers should make sure that Splunk gets host field in any source because this is a required base field for Splunk. In most cases, Splunk will try to decipher host from source; sometimes it will even use the index server as host. But yes, there are ways to defeat Splunk no matter what the server do. Getting Data In contains information about how to correctly configure sources. There's also a dedicated forum about Getting Data In. Good luck.