We have a distributed solution and a centralised solution

Both send events to Splunk (I'm the Splunk Admin)

100% of the distributed events have the host field present.

About 50% of the centralised events have the host field missing and show :

Hostname: ?

Any idea why this would be? is this a misconfiguration on the centralised host somewhere?  or on the agentless side?

Module:SourceModuleName: in_audit_pipe   
SourceModuleType: im_pipe

Thanks.