https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330317#M61232 <P>Hi ,</P> <P>Is there any way I can simply have <CODE>Plprdfinodm01</CODE> as my Source in Splunk which indicates JVM name?</P> <PRE><CODE>D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\waslp\vxpip-ppm02\PIprdfinodm01\messages.log </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4504iB6DA613F7CE98639/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 05 Mar 2018 18:59:45 GMT harishnpandey 2018-03-05T18:59:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330317#M61232 <P>Hi ,</P> <P>Is there any way I can simply have <CODE>Plprdfinodm01</CODE> as my Source in Splunk which indicates JVM name?</P> <PRE><CODE>D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm02\PIprdfinodm01\messages.log D:\splunk\was\vxpip-ppm01\PIprdfinodm01\messages.log D:\splunk\waslp\vxpip-ppm02\PIprdfinodm01\messages.log </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4504iB6DA613F7CE98639/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 05 Mar 2018 18:59:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330317#M61232 harishnpandey 2018-03-05T18:59:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330318#M61233 <P>I think personally I would create a new field (field extraction) called something like JVMHost. That way you preserve the original data.<BR /> You could use a regex like this: <BR /> <CODE>.*\\(?&lt;JVMHost&gt;[^\\]+)\\messages.log</CODE></P> Mon, 05 Mar 2018 22:01:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330318#M61233 livehybrid 2018-03-05T22:01:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330319#M61234 <P>Or..you could overwrite the source...</P> <P>If your sourcetype was called "jvm-log", you'd have a props.conf entry for the sourcetype, identifying the transform rule.</P> <PRE><CODE> [jvm-log] TRANSFORMS-1_source = force_jvm_source </CODE></PRE> <P>This references a rule that would be defined in transforms.conf:</P> <PRE><CODE> [force_jvm_source] SOURCE_KEY =_raw REGEX =.*\\([^\\]+)\\messages.log DEST_KEY = MetaData:Source FORMAT = source::$1 </CODE></PRE> Mon, 05 Mar 2018 22:05:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-a-string-in-my-current-source-field-value-as-the/m-p/330319#M61234 livehybrid 2018-03-05T22:05:34Z