https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147393#M30018 <P>[monitor:///tmp/usr/local/sse/apache-ers/servers/aep.qa.abcd.org/logs/<EM>access.log</EM>]<BR /> blacklist = .(txt|gz)$<BR /> sourcetype=apache</P> <P>Checked it like 20 times.</P> Fri, 02 May 2014 18:10:03 GMT theouhuios 2014-05-02T18:10:03Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147386#M30011 <P>hello</P> <P>I am trying to extract a field and change the value of source for apache logs. The source comes as </P> <PRE><CODE>/tmp/usr/local/sse/apache-ers/servers/aep.qa.abcd.org/logs/https_access.log.3242r4252" </CODE></PRE> <P>First, I am trying to extract <CODE>aep.qa.abcd.org</CODE> as the field filename and change the source to </P> <PRE><CODE> /tmp/usr/local/sse/apache-ers/servers/aep.qa.abcd.org/logs/https_access.log </CODE></PRE> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[apache] TRANSFORMS-replace_values_from_source = replace_filename_from source , replace_source_from_source </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[replace_filename_from source] SOURCE_KEY = MetaData:Source REGEX = ^source::(?:/[^/]+){6}/(?P&lt;filename&gt;[a-z.]+)\/ FORMAT = filename::$1 [replace_source_from_source] SOURCE_KEY = MetaData:Source REGEX = ^source::^(\S+\.log)\. FORMAT = source::$1 DEST_KEY = MetaData:Source </CODE></PRE> <P>It doesn't seem to work. I tested the regexes and they work fine with rex command. Any ideas?</P> Wed, 30 Apr 2014 14:41:38 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147386#M30011 theouhuios 2014-04-30T14:41:38Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147387#M30012 <P>I applied them on indexers and also applied the transforms on Search head. Still doesn't work</P> Wed, 30 Apr 2014 18:42:49 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147387#M30012 theouhuios 2014-04-30T18:42:49Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147388#M30013 <P>Removed transforms from index time and sent them only to searchtime for filename extraction. Even this doesn't work. Do I need to mention any DEST_KEY for it to work?</P> Thu, 01 May 2014 12:55:51 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147388#M30013 theouhuios 2014-05-01T12:55:51Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147389#M30014 <P>I'm not sure you need the source:: in the regex. We're not doing QUITE the same thing (not changing source, just sourcetype and index) but the "customer" field is an index-time field like what you're doing with filename. This is applied on our Splunk heavy forwarder that reads the files. If you're using a heavy forwarder to read the data, these should go there. If you're using a universal forwarder, or have the inputs.conf configured on the indexer, these should go on the indexer.</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[source::/var/log/netsyslog/...] TRANSFORMS-sourcetype = set_sourcetype_from_source_path TRANSFORMS-customer = set_customer_from_source_path TRANSFORMS-index = set_index_from_source_path </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[set_sourcetype_from_source_path] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Sourcetype REGEX = /var/log/netsyslog/[^/]+/([^/]+)/ FORMAT = sourcetype::$1 [set_customer_from_source_path] SOURCE_KEY = MetaData:Source WRITE_META = true REGEX = /var/log/netsyslog/([^/]+)/ FORMAT = customer::$1 [set_index_from_source_path] SOURCE_KEY = MetaData:Source DEST_KEY = _MetaData:Index REGEX = /var/log/netsyslog/([^/]+)/([^/]+)/ FORMAT = $2_$1 </CODE></PRE> <P>I'm not sure that you need the "source::" in the regex. In your first transform, you have a space in the stanza name, as well as escaping only one of the / in the regex (you don't need to escape any of them). In the second transform, you have "^source::^" which I don't think is what you want. You can give these a try, but I haven't tested them:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[apache] TRANSFORMS-replace_values_from_source = replace_filename_from_source,replace_source_from_source </CODE></PRE> <P><STRONG>transforms.conf</STRONG><BR /> [replace_filename_from source]<BR /> SOURCE_KEY = MetaData:Source<BR /> WRITE_META = true<BR /> REGEX = (?:/[^/]+){6}/(?P<FILENAME>[a-z.]+)/<BR /> FORMAT = filename::$1</FILENAME></P> <PRE><CODE>[replace_source_from_source] SOURCE_KEY = MetaData:Source REGEX = ^(\S+\.log)\.[^.]+$ FORMAT = source::$1 DEST_KEY = MetaData:Source </CODE></PRE> Mon, 28 Sep 2020 16:31:05 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147389#M30014 mcmaster 2020-09-28T16:31:05Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147390#M30015 <P>Still doesn't work. I am not sure why but I think its not even applying them,which is kinda strange. I have done the similar extraction of yours for host,source and index from source for our rsyslog data sometime back and it worked on the HF.</P> Fri, 02 May 2014 13:02:11 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147390#M30015 theouhuios 2014-05-02T13:02:11Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147391#M30016 <P>Tried it one by one too. Doesn't work.Any ideas?</P> Fri, 02 May 2014 17:35:50 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147391#M30016 theouhuios 2014-05-02T17:35:50Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147392#M30017 <P>The logs are definitely being identified as sourcetype apache, right?</P> Fri, 02 May 2014 17:46:39 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147392#M30017 mcmaster 2014-05-02T17:46:39Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147393#M30018 <P>[monitor:///tmp/usr/local/sse/apache-ers/servers/aep.qa.abcd.org/logs/<EM>access.log</EM>]<BR /> blacklist = .(txt|gz)$<BR /> sourcetype=apache</P> <P>Checked it like 20 times.</P> Fri, 02 May 2014 18:10:03 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147393#M30018 theouhuios 2014-05-02T18:10:03Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147394#M30019 <P>Made a mistake of sending the file from HF. Parsing was being done on HF and these configs were not there. Moved them to UF and works like a charm. </P> <P>Only change</P> <PRE><CODE>[replace_source_from_source] SOURCE_KEY = MetaData:Source REGEX = ^(\S+\.log)\.[^.]+$ FORMAT = source::$1 --&gt; Change this to FORMAT = $1 DEST_KEY = MetaData:Source </CODE></PRE> Thu, 08 May 2014 15:47:57 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147394#M30019 theouhuios 2014-05-08T15:47:57Z