Find where actual hostnames don't match the host from the Universal Forwarder

Description:  This will provide a list of hosts that don't match the actual host names.  This will allow you to find the hosts/IP addresses that need to have the clonefix actions ran against them This can probably be written better to account for host names that include an underscore in them.  Requires access to _internal logs so admins will be the only ones to benefit from this.

index=_internal *_8089_*   event_message="Running phone uri=/services/broker/phonehome/connection_*" 
| dedup event_message
| rex "_(?<ip>\d+\.\d+\.\d+\.\d+)_8089_(?<fqdn>.{1,29})_(?<actualHost>.{1,15})_"
| eval actualHost=lower(actualHost)
| eval host=lower(host)
| table host actualHost ip fqdn uri
| where actualHost!=host