index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | dedup sourceHost | table sourceHost sourceIP os version | sort version Thanks for sharing this, but when we use this search string we get duplicates, where forwarders in the results list both hostnames and a duplicate records for each as IP address. So we have two results for each forwarder, one with hostname and another with just the IP. Also, the hostname column does not populate the IP address column.
... View more