I've been ignoring this number for 8 or 9 years now as it's never made any sense and doesn't correspond to the results of the queries mentioned above.   How does this counter even work? ... View more

The problem is the default parsing of the host field on the indexer for pretrained sourcetype linux_messages_syslog. You can override it with a local props.conf on the receiving indexer. Have a look at my other answer here: https://answers.splunk.com/answers/494084/linux-message-syslog-host-name-issue.html ... View more