I am monitoring two files:
/var/log/secure
and
/var/log/messages
In the Data Summary Hosts tab, I have two hosts:
mymachine.mycompany.internal
mymachine
inputs.conf
[default]
host = mymachine.mycompany.internal
I am guessing /var/log/secure are linux secure -- did you happen to install the TA? My best guess is that there's a transforms/props file on the searchhead that is causing the host name to be re-written depending on the content of the message. Do you notice a pattern of which ones say mymachine versus the others?