 
					
				
		
When I try to search for hostname (ks75rhel) typing it in the search bar, I'm not getting any results. I tried the following ways...
ks75rhel
*ks75rhel*
ks75*
I did get results when I use host=ks75rhel, did anyone face this kind of  issue...? Any help would be appreciated. Thanks..!!
 
					
				
		
The host field is a metadata field and in most cases it's not logged in the raw data (generally taken as the server name of the forwarder). The method that you tried is text search and it checks only the raw data, and I guess no host name available in raw data, hence no result. And when you use host=ks75rhel, it will result as that will query the metadata field value. Hope it makes some sense.
Now, when you include the host field in your query, following will fine
host=ks75rhel
host=*ks75rhel*
host=ks75*
 
		
		
		
		
		
	
			
		
		
			
					
		You may want to try search time extractions, something like (assuming, the literal uri=" shows up first time in the entire raw string). 
rex=_raw "uri="(?[^"]+)"
If you can paste some sample data with different variations of the uri, might be able to provide a more cleaner regex expression
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Rex
 
					
				
		
The host field is a metadata field and in most cases it's not logged in the raw data (generally taken as the server name of the forwarder). The method that you tried is text search and it checks only the raw data, and I guess no host name available in raw data, hence no result. And when you use host=ks75rhel, it will result as that will query the metadata field value. Hope it makes some sense.
Now, when you include the host field in your query, following will fine
host=ks75rhel
host=*ks75rhel*
host=ks75*
 
		
		
		
		
		
	
			
		
		
			
					
		It's not so much indexed vs. raw data, it's more like source event data vs. metadata. _time, host, source and sourcetype are some of the event metadata fields that Splunk assigns to each event based on YOUR configuration.
Only the raw event stream counts against your license.
We store metadata in files alongside the raw data (in journal.gz). Why would you want to tweak it and what do you want to tweak?
@3: Metadata exists alongside the raw data and will be kept current and accurate with it. If - say - the last event for host xyz ages out of the system, you won't find any references to it in metadata files either.
 
					
				
		
We store metadata in files alongside the raw data (in journal.gz). Why would you want to tweak it and what do you want to tweak?
wanted to know if i can change the hostname form ks75rhel to webserver01 or similar...
You'd need a lookup table to make that work which only can be used at search time, not when the host field is written. An automated lookup should be enough to adress your issue:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/Makeyourlookupautomatic
 
					
				
		
Make sense... the raw data doesn't have a host field, i have few questions on this...
1.coming to the  diff b/w indexed and raw data..? indexed data is the one which does key value pair extractions and license would be calculated based on the indexed data..? 
 2. how does splunk store the metadata(like host=ks75rhel)...? can we make any tweaks on this...?
 3. does retention period applies for both indexed and raw data...?
 
					
				
		
A little confused, when you search for (ks75rhel) , do you have this entry in the logs (without braces?) or is it just a field/metadata of the actual field host? Can you post a sample log that has the host entry? Har to figure otherwise
Thanks,
Raghav
 
					
				
		
I have the sample log pasted when i search by host=ks75rhel, when i type in just ks75rhel it's blank in the output...
3/2/16   192.168.6.3 - - [02/Mar/2016:10:49:55 -0600] "GET /test.htm " 200 168 "-" "-" 0\2341
10:49:55.000 AM    bytes = 168 clientip = 192.168.6.3 file = testing.htm host = ks75rhel index = rhelt0 method = GET response_ms = 2341 source = /opt/applications/web2/servers/ks_ncr/logs/access.20160302000000.log sourcetype = access_combined uri_path = /testing.htm
