https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229725#M44703 <P>The source of an event is the name of the file, stream, or other input from which the event originates. For data monitored from files and directories, the value of source is the full path, such as /archive/server1/var/log/messages.0 or /var/log/. The value of source for network-based data sources is the protocol and port, such as UDP:514</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Aboutdefaultfields">http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Aboutdefaultfields</A></P> Tue, 04 Oct 2016 20:58:23 GMT sundareshr 2016-10-04T20:58:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229724#M44702 <P>There are a lot of documentation on how to set Host equal to filename or directory name, however i couldn't find anything on how to set source equal to file name? </P> <P>[monitor://.......\fil.log]<BR /> disabled=0<BR /> source=???<BR /> sourcetype= logFile</P> <P>props.conf</P> <P>[logFile]<BR /> setting<BR /> .<BR /> .<BR /> .</P> Tue, 04 Oct 2016 20:56:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229724#M44702 moaf13 2016-10-04T20:56:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229725#M44703 <P>The source of an event is the name of the file, stream, or other input from which the event originates. For data monitored from files and directories, the value of source is the full path, such as /archive/server1/var/log/messages.0 or /var/log/. The value of source for network-based data sources is the protocol and port, such as UDP:514</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Aboutdefaultfields">http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Aboutdefaultfields</A></P> Tue, 04 Oct 2016 20:58:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229725#M44703 sundareshr 2016-10-04T20:58:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229726#M44704 <P>Thank you for answering, but this is what I have </P> <P>[monitor://E:\Users\Documents\fil.txt]<BR /> disabled=0<BR /> Sourcetype = WindowsFile<BR /> queue = parsingQueue</P> <P>props.conf</P> <P>[WindowsFile]<BR /> bunch of setting.....</P> <P>[source::E:\Users\Documents\fil.txt]<BR /> TRANSFORMS-replace_source = replacedefaultsource</P> <P>Tranforms.conf</P> <P>[replacedefaultsource]<BR /> SOURCE_KEY = MetaData:Source<BR /> REGEX = E:\Users\(Documents)\fil.txt<BR /> DEST_KEY = MetaData:Source<BR /> FORMAT= source::$1</P> <P>That's the setting that i have and it's not working, I don't want to full path, I just want the filename. this is what i have and it's not working? </P> Tue, 29 Sep 2020 11:16:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229726#M44704 moaf13 2020-09-29T11:16:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229727#M44705 <P>Try this as the REGEX in your transforms.conf</P> <PRE><CODE>[replacedefaultsource] SOURCE_KEY = MetaData:Source REGEX = E:\\Users\\([^\\]+)\\fil.txt DEST_KEY = MetaData:Source FORMAT= source::$1 </CODE></PRE> Wed, 05 Oct 2016 01:36:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229727#M44705 somesoni2 2016-10-05T01:36:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229728#M44706 <P>Thank you very much. That's exactly what i was looking for. </P> <P>I also added another change which was removing [source::E:\Users\Documents\fil.txt] entirly from props.conf and moving TRANSFORMS-replace_source to sourcetype setting for anyone looking at this answer in the future. </P> <P>[WindowsFile]<BR /> bunch of setting.....<BR /> TRANSFORMS-replace_source = replacedefaultsource</P> <P>removed ([source::E:\Users\Documents\fil.txt]<BR /> TRANSFORMS-replace_source = replacedefaultsource)</P> <P>Do you know why I had to do that? does splunk prioritize sourcetype setting than other settings in props.conf? </P> Wed, 05 Oct 2016 08:43:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-Source-equal-to-filename-in-input-conf/m-p/229728#M44706 moaf13 2016-10-05T08:43:36Z