If you enabled /var/log in general as a single sourcetype, you will get many different types of logs ingested but treated the same way. That's not the way to go. Don't mix different types  of input data within a single inputs.conf stanza.

You should have a separate well-defined stanza for all "syslog-like" files like /var/log/messages, separate for other types (I don't know what's happening on your system and what kinds of data you're pulling). Otherwise all those different files from /var/log are getting treated the same way even though they contain data in different formats. That's why your "host" is getting parsed wrongly from many events.

Hi @__Sebastian,

for logs coming from Forwarders, hostname is usually setted in:

• by default:
  • $SPLUNK_HOME/system/local/server.conf 
  • $SPLUNK_HOME/system/local/inputs.conf
• on UF overriding:
  • all inputs.conf
• in Indexers or (uf present) on Heavy Forwarders
  • on props.conf.

for logs coming from syslogs (usually the ones with an IP address as hostname) are setted in inputs.conf.

So you should read the logs with unexpected hostnames and understand what kind of logs they are: syslogs or from Forwarders.

Then you can analyze the conf files to underatand where the hostname is conigured.

Ciao.

Giuseppe

@gcusello As I'm having a test setup, I have deleted all logs. And now I'm only getting logs from defined hosts.

I'll keep it under observation, and will see if it occurs again.

Thanks for your help & detailed explanation. 

Hi @__Sebastian,

when you'll finish the observation, remember to accept an answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated ,-)