https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224568#M43953 <P>I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!</P> Tue, 15 Sep 2015 15:53:21 GMT woodcock 2015-09-15T15:53:21Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224564#M43949 <P>I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it. </P> <PRE><CODE>source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi" </CODE></PRE> <P>I want the source field to extract </P> <PRE><CODE>source =abcde000001234:1111 </CODE></PRE> <P>I tried to override the field using props and transforms </P> <PRE><CODE>Transforms.conf [source] REGEX =(.*)(:\/\/)(.*)(\/jmxrmi) FORMAT = source::$3 SOURCE_KEY=MetaData:Source DEST_KEY = MetaData:Source Props.conf [jmx] REPORT-source = source SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 50 </CODE></PRE> <P>However, I am able to extract different field capturing only desired output using inline search. <BR /> But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?</P> Tue, 15 Sep 2015 12:44:34 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224564#M43949 isha_rastogi 2015-09-15T12:44:34Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224565#M43950 <P>In <CODE>props.conf</CODE>, change this:</P> <PRE><CODE>REPORT-source = source </CODE></PRE> <P>To this:</P> <PRE><CODE>TRANSFORMS-source = source </CODE></PRE> <P>Then deploy to all Heavy Forwarders and restart all Splunk instances on them.</P> Tue, 15 Sep 2015 15:26:34 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224565#M43950 woodcock 2015-09-15T15:26:34Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224566#M43951 <P>Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??</P> Tue, 15 Sep 2015 15:30:50 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224566#M43951 somesoni2 2015-09-15T15:30:50Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224567#M43952 <P>You've a great eye in finding these...:)</P> Tue, 15 Sep 2015 15:43:30 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224567#M43952 somesoni2 2015-09-15T15:43:30Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224568#M43953 <P>I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!</P> Tue, 15 Sep 2015 15:53:21 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224568#M43953 woodcock 2015-09-15T15:53:21Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224569#M43954 <P>Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.</P> Tue, 15 Sep 2015 16:13:53 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224569#M43954 isha_rastogi 2015-09-15T16:13:53Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224570#M43955 <P>Indexed data is immutable; are you checking <EM>new</EM> events or <EM>old</EM> events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.</P> Tue, 15 Sep 2015 16:32:32 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224570#M43955 woodcock 2015-09-15T16:32:32Z https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224571#M43956 <P>It worked on new indexed data. Thanks!!</P> Thu, 17 Sep 2015 17:59:32 GMT https://community.splunk.com/t5/Getting-Data-In/Override-source-field-in-the-indexers/m-p/224571#M43956 isha_rastogi 2015-09-17T17:59:32Z