https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394597#M70445 <P>the current sources are /var/log/LOGCENTRAL/Windows/<EM>hostname</EM>/<EM>hostname.log</EM>. This obviously varies as there are many hosts writing logs. My props is now [source::/var/log/LOGCENTRAL/Windows/...] and thats not working either.</P> Mon, 18 Jun 2018 12:29:16 GMT coreyf311 2018-06-18T12:29:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394593#M70441 <P>I have the below configured but source is not being over written. I am trying to wild card anything after Windows in the path.</P> <P>props.conf</P> <PRE><CODE>[source::/var/log/Windows/*] TRANSFORMS-changesource=changesource </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[changesource] FORMAT= source::WinEventLog:Security DEST_KEY=MetaData:Source </CODE></PRE> <P>I have it deployed to my heavy forwarder. It's not working there. I am also curious if I can deploy something like this to a Universal Forwarder after I am sure the syntax is correct?</P> Mon, 18 Jun 2018 11:34:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394593#M70441 coreyf311 2018-06-18T11:34:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394594#M70442 <P>If you have further sub-directories behind <CODE>/var/log/Windows/</CODE>, you need to use the <CODE>...</CODE> wildcard instead of <CODE>*</CODE>. So try <CODE>[source::/var/log/Windows/...]</CODE> instead.</P> <P>And no, these operations cannot be done on UF. Unless this specific source value matches a specific inputs.conf stanza, then you could set the source field as part of the inputs.conf.</P> Mon, 18 Jun 2018 11:54:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394594#M70442 FrankVl 2018-06-18T11:54:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394595#M70443 <P>I would prefer to set source as part of the inputs.conf Can I override the source in inputs.conf?</P> Mon, 18 Jun 2018 12:09:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394595#M70443 coreyf311 2018-06-18T12:09:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394596#M70444 <P>Yes, you can simply add <CODE>source = WinEventLog:Security</CODE> to the relevant inputs.conf stanza.</P> Mon, 18 Jun 2018 12:24:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394596#M70444 FrankVl 2018-06-18T12:24:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394597#M70445 <P>the current sources are /var/log/LOGCENTRAL/Windows/<EM>hostname</EM>/<EM>hostname.log</EM>. This obviously varies as there are many hosts writing logs. My props is now [source::/var/log/LOGCENTRAL/Windows/...] and thats not working either.</P> Mon, 18 Jun 2018 12:29:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394597#M70445 coreyf311 2018-06-18T12:29:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394598#M70446 <P>I think you need to add a <CODE>REGEX = .</CODE> to your transforms.conf. That setting is required for index-time extractions like this. Sorry for not catching that earlier.</P> Mon, 18 Jun 2018 12:34:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394598#M70446 FrankVl 2018-06-18T12:34:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394599#M70447 <P>a simple read of the inputs.conf spec gave me the answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks!</P> Mon, 18 Jun 2018 12:42:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-override-the-props-source/m-p/394599#M70447 coreyf311 2018-06-18T12:42:13Z