https://community.splunk.com/t5/Getting-Data-In/Accessing-metadata-from-the-format-option-in-transforms-conf/m-p/63805#M12824 <P>eper Splunk support, not possible</P> Thu, 08 Nov 2012 22:03:01 GMT peter_gianusso 2012-11-08T22:03:01Z https://community.splunk.com/t5/Getting-Data-In/Accessing-metadata-from-the-format-option-in-transforms-conf/m-p/63804#M12823 <P>Functionally, here's what I am looking to do.<BR /><BR /> I want to take the host (NJROS1BVA0597), append the source type (VM88 or VM11) identified in the props.conf and then re-write that to the host field.<BR /><BR /> So if the log is CAPPM_UPDATEDB.log, at the end of this, NJROS1BVA0597VM11 would be written to the host field.</P> <P>My regex seems to be working In the format option, because the $0 gets me the original host name without a problem. <BR /> It's getting the source type to append to it, that is the problem.<BR /><BR /> My probably feeble attempt MetaData:Sourcetype does not work. </P> <P>input.conf</P> <PRE><CODE>[monitor://\\njros1bva0597\d$\LogFiles\W3SVC1\] disabled = 0 host = NJROS1BVA0597 index=imaging whitelist = \.log$ </CODE></PRE> <P>Props.conf</P> <PRE><CODE>[source::...\\CAPPM*.log] sourcetype = VM11 [source::...\\ex*.log] sourcetype = VM88 [VM88] TRANSFORMS-hostname = rewrite_host </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[rewrite_host] SOURCE_KEY = MetaData:Host REGEX = .* DEST_KEY = MetaData:Host FORMAT = $0MetaData:Sourcetype </CODE></PRE> Tue, 18 Sep 2012 18:25:56 GMT https://community.splunk.com/t5/Getting-Data-In/Accessing-metadata-from-the-format-option-in-transforms-conf/m-p/63804#M12823 peter_gianusso 2012-09-18T18:25:56Z https://community.splunk.com/t5/Getting-Data-In/Accessing-metadata-from-the-format-option-in-transforms-conf/m-p/63805#M12824 <P>eper Splunk support, not possible</P> Thu, 08 Nov 2012 22:03:01 GMT https://community.splunk.com/t5/Getting-Data-In/Accessing-metadata-from-the-format-option-in-transforms-conf/m-p/63805#M12824 peter_gianusso 2012-11-08T22:03:01Z