Hello,
In our Splunk Enterprise, we have created a customized indexer. We are trying to get certain events of a specific host, but as soon as we type index="Event_Logs" host=WindowServer
in Search, we get the results of 2 hosts with the same host name.
1. WINDOWSERVER (UPPER_CASE)
2. windowserver (lower_case)
The count appearing in the Search results is different.
Any idea about this behavior?
Appreciate your help.
== Umang Solanki
This is problem is primarily a windows problem in that it frequently will ALL-CAPS hostnames but sometimes leave it the way you configured it. You could modify the hostname in Windows to be ALL-CAPS OR you can override the host at index time OR deal with it at search time like this:
index="Event_Logs" host=WindowServer | eval host=upper(host)
Don't forget about the domain problem, too. Here is a good discussion on that and more details, too:
http://answers.splunk.com/answers/28879/host-value-for-windows.html
what are the two source/sourcetypes. I am guessing one is scripted input.