https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452#M20569 <P>Hi,</P> <P>I have a small lab where there is a <CODE>heavy forwarder</CODE>. I can/want to perform transformation on Meta info at Heavy forwarder level. I have two related questions.</P> <P>The first question --</P> <P>I have a <CODE>source</CODE> field something like -- <CODE>/&lt;dir1&gt;/&lt;dir2&gt;/&lt;logfilename&gt;</CODE> and I want to remove <CODE>/&lt;dir1&gt;/&lt;dir2&gt;</CODE> from source field. How can I do that?</P> <P>I also want to rewrite <CODE>sourcetype</CODE> field before sending data to indexer. Let's say if we find <CODE>secure</CODE> in any part of <CODE>sourcetype</CODE> then <CODE>sourcetype</CODE> should be <CODE>secure</CODE>. (i.e. remove all other characters except <CODE>secure</CODE> )</P> <P>Please help!</P> <P>Thanks!</P> Wed, 26 Oct 2011 14:52:57 GMT rahiparikh 2011-10-26T14:52:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452#M20569 <P>Hi,</P> <P>I have a small lab where there is a <CODE>heavy forwarder</CODE>. I can/want to perform transformation on Meta info at Heavy forwarder level. I have two related questions.</P> <P>The first question --</P> <P>I have a <CODE>source</CODE> field something like -- <CODE>/&lt;dir1&gt;/&lt;dir2&gt;/&lt;logfilename&gt;</CODE> and I want to remove <CODE>/&lt;dir1&gt;/&lt;dir2&gt;</CODE> from source field. How can I do that?</P> <P>I also want to rewrite <CODE>sourcetype</CODE> field before sending data to indexer. Let's say if we find <CODE>secure</CODE> in any part of <CODE>sourcetype</CODE> then <CODE>sourcetype</CODE> should be <CODE>secure</CODE>. (i.e. remove all other characters except <CODE>secure</CODE> )</P> <P>Please help!</P> <P>Thanks!</P> Wed, 26 Oct 2011 14:52:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452#M20569 rahiparikh 2011-10-26T14:52:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98453#M20570 <P>You can try rewriting (reformating) the source key for your first question. You can use transforms and props to do that. Here's an example of how transforms.conf may look like:</P> <P>transforms.conf</P> <P><CODE>[&lt;unique_transform_stanza_name&gt;]<BR /> SOURCE_KEY = MetaData:Source <BR /> REGEX = &lt;regular_expression&gt;<BR /> FORMAT = source::$1<BR /> DEST_KEY = MetaData:Source</CODE></P> <P>props.conf</P> <P><CODE>[&lt;spec&gt;]<BR /> TRANSFORMS-&lt;value&gt; = &lt;unique_stanza_name&gt;</CODE></P> <P>For your second question you can do pretty much the same thing, but operate on MetaData:Sourcetype instead of Source.</P> <P>There is additional and very helpful information here:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Transformsconf</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction">http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction</A></P> <P><CODE>- please upvote if you find this answer useful</CODE></P> Wed, 26 Oct 2011 15:10:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98453#M20570 _d_ 2011-10-26T15:10:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98454#M20571 <P>Thanks for reply! This works. I have already tried this. But problem with it is -- <DIR2> is a device name. I use host_segment to extract device name. Now, when I use both together, the host_segment will not have effect! <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></DIR2></P> Mon, 28 Sep 2020 10:01:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98454#M20571 rahiparikh 2020-09-28T10:01:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98455#M20572 <P>In that case then i would try using <CODE>priority=n</CODE> in the affected props stanzas. More on priority or precedence can be found here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> Wed, 26 Oct 2011 15:28:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98455#M20572 _d_ 2011-10-26T15:28:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98456#M20573 <P>Will this work? I want to perform transformation on Heavy Forwarder and send data to indexer. I do not index locally.</P> Wed, 26 Oct 2011 15:38:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98456#M20573 rahiparikh 2011-10-26T15:38:57Z