https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78454#M16059 <P>Yes, both the props.conf and transforms.conf settings need to go on the indexer.</P> Sat, 05 Jan 2013 10:54:14 GMT Ayn 2013-01-05T10:54:14Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78451#M16056 <P>(updated with correct solution)</P> <P>Question: I want to overwite the source when the UF is sending data to the Splunk server. This is how it should be.</P> <P>On the UF the config is splunkforwarder/etc/system/local:</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>[monitor:///data/logs/UCMFON/*.access] disabled = false followTail = 1 host = $decideOnStartup index = fon sourcetype = access:web:ucm </CODE></PRE> <P>On the Splunk Server (indexer) the config is splunk/system/local:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[access:web:ucm] NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=50 TRANSFORMS-source=extract-filename-from-source </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[extract-filename-from-source] # /a/b/c/e1_fgh2.log # removes directory # DEST_KEY=MetaData:Source SOURCE_KEY=MetaData:Source REGEX = (([\w|\d|-]*)\.\w*) FORMAT = source::$1 </CODE></PRE> Fri, 04 Jan 2013 13:39:05 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78451#M16056 mkelderm 2013-01-04T13:39:05Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78452#M16057 <P>See <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">here</A></P> <P>If you want to use anything in transforms.conf, it has to be done on an indexer</P> <P>So its valid to set the sourcetype on the UF, but the logic for setting the source will need to be moved up to your indexer(s)</P> Fri, 04 Jan 2013 13:53:28 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78452#M16057 jonuwz 2013-01-04T13:53:28Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78453#M16058 <P>So I need to move my transforms.conf to the splunk-server (the indexer)? In the same directory?</P> Sat, 05 Jan 2013 10:15:28 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78453#M16058 mkelderm 2013-01-05T10:15:28Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78454#M16059 <P>Yes, both the props.conf and transforms.conf settings need to go on the indexer.</P> Sat, 05 Jan 2013 10:54:14 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78454#M16059 Ayn 2013-01-05T10:54:14Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78455#M16060 <P>One thing you're missing. Your regex is exactly "source:: ...." Drop the first part, source:: and it will work.</P> Tue, 08 Jan 2013 11:36:27 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78455#M16060 qjvtenkroode 2013-01-08T11:36:27Z https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78456#M16061 <P>Thanks! Fixed the issue!</P> Tue, 08 Jan 2013 11:42:57 GMT https://community.splunk.com/t5/Getting-Data-In/Can-the-Universal-Forwarder-overwite-the-source-with-transforms/m-p/78456#M16061 mkelderm 2013-01-08T11:42:57Z