*Hi
When I use below query, Im not able to get unix os host type: Can you please let me know what could be the reason

index=_internal source="*metrics.log" group=tcpin_connections 
|  eval sourceHost=if(isnull(hostname), sourceHost,hostname) |eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Light Weight Forwarder",fwdType=="full", "Splunk Indexer", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval build=if(isnull(build),"n/a",build)
| eval version=if(isnull(version),"pre 4.2",version)
| eval guid=if(isnull(guid),sourceHost,guid)
| eval os=if(isnull(os),"n/a",os)
| eval arch=if(isnull(arch),"n/a",arch)
| eval my_splunk_server = splunk_server | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps my_splunk_server build version os arch
| eval lastReceived = if(kb>0, _time, null)
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps by sourceHost
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived first(kb) as KB first(avg_eps) as eps by sourceHost
| eval status = if(isnull(KB) or lastConnected<(info_max_time-60000),"missing",if(lastConnected>(lastReceived+300) or KB==0,"quiet","active")) |sort sourceHost*