You will have to make a dive into the world of index-time transforms. Firstly, you have set the sourcetype to 'syslog', which it clearly isn't. This has implications, because Splunk will try to extract host information from each event. This will fail, since the events are not properly syslog-formatted. Change the sourcetype to 'my_ping_log' or something unique. Also, if possible, let the script add a date/timestamp to each event as well. You should look at the following docs for rewriting the host value prior to indexing the events. http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Overridedefaulthostassignments I guess that your files should look something like; props.conf [my_ping_log] TRANSFORMS-set_host = ping_script_host transforms.conf [ping_script_host] REGEX = ^(\S+)\s+.* DEST_KEY = MetaData:Host FORMAT = host::$1 Please note that the REGEX works for the current event format, i.e. without a timestamp. Hope this helps, Kristian ... View more

Hi saurabh_tek, @saurabh_tek Did u find the solution for this ? i am also having all host details in lookup file only ...when i do ping status it returns nothing... Your reply will helpful Thanks in advance ... View more

I was now change the configuration from "Computername" to there IP-Adress and now i become reports...hm...i must check this the next few days. Other Question, how can i do a dashboard with manually Computernames? When i do a event log dashboard i use: source="WMI:WinEventLog:" ComputerName="" | stats count count(eval(Type="Warnung")) as warnings count(eval(Type="Fehler")) as errors by host But we have MAC-Adress as Computername, i see only "FFC00..." "FF00..." and so on, how must i change the search command that i have costum Names for the restults? FFCC00 = Computer1 FF00 = Computer2 and so on. greets. ... View more

I think now you can do something like this : source="WMI:WinEventLog:*" ComputerName IN ("Client1","Client2","Client3","Client4") ... View more