https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269027#M51660 <P>Try this in your Indexers and Heavy Forwarders and Search Heads (wherever you're collecting internal logs with this different path</P> <PRE><CODE>props.conf [source::/san/splunk/var/log/splunk*] TRANSFORMS-setsource = correct_source transforms.conf [correct_source] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Source REGEX = \/san\/splunk(\/var\/log\/splunk.*) FORMAT = source::/opt/splunk$1 </CODE></PRE> Thu, 04 Feb 2016 20:41:59 GMT somesoni2 2016-02-04T20:41:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269024#M51657 <P>We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. Of course, I can modify apps that have hard coded the path to files in that directory. Is there a way to use props or transform on the indexer with the awkward path so the source will show up as /opt/splunk/var/log/splunk on the search head? That way, I don't have to modify the search in apps needing to find files in the /san/splunk/var/log/splunk directory.</P> Thu, 04 Feb 2016 10:42:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269024#M51657 coleman07 2016-02-04T10:42:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269025#M51658 <P>Change your search to look for */splunk/var/log...</P> <P>Or use sedcmd in props.conf on your sourcetype</P> <PRE><CODE> sedcmd-santoopt = "s/\/san/\/opt/g" </CODE></PRE> <P>You can also use sed with the rex command in search:</P> <PRE><CODE> ... | rex mode=sed "s/\/san/\/opt/g" | ... </CODE></PRE> Thu, 04 Feb 2016 11:08:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269025#M51658 jkat54 2016-02-04T11:08:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269026#M51659 <P>You could hard code the source in your inputs.conf on your indexer or forwarder, <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/inputsconf">http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/inputsconf</A></P> <PRE><CODE>source= /opt/splunk/var/log/splunk/filename </CODE></PRE> Thu, 04 Feb 2016 20:24:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269026#M51659 landen99 2016-02-04T20:24:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269027#M51660 <P>Try this in your Indexers and Heavy Forwarders and Search Heads (wherever you're collecting internal logs with this different path</P> <PRE><CODE>props.conf [source::/san/splunk/var/log/splunk*] TRANSFORMS-setsource = correct_source transforms.conf [correct_source] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Source REGEX = \/san\/splunk(\/var\/log\/splunk.*) FORMAT = source::/opt/splunk$1 </CODE></PRE> Thu, 04 Feb 2016 20:41:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269027#M51660 somesoni2 2016-02-04T20:41:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269028#M51661 <P>I think that this regex would only match sources that began with the parent directory /san/ . Perhaps the regex could be relaxed to only match on the capture group:</P> <PRE><CODE> [correct_source] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Source REGEX = (\/var\/log\/splunk.*) FORMAT = source::$1 </CODE></PRE> Sun, 07 Feb 2016 17:53:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-the-source-field-to-match-normal-splunk-file/m-p/269028#M51661 landen99 2016-02-07T17:53:51Z