https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481854#M82589 <P>please help me in indexing source field value into new fields value during index time.<BR /> please help with transform/props.conf<BR /> i need to extract the source field only the script name with the new field.</P> <P>source field value will be /splunk_home/etc/apps/bin/python.py</P> Wed, 22 Apr 2020 06:04:03 GMT DataOrg 2020-04-22T06:04:03Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481854#M82589 <P>please help me in indexing source field value into new fields value during index time.<BR /> please help with transform/props.conf<BR /> i need to extract the source field only the script name with the new field.</P> <P>source field value will be /splunk_home/etc/apps/bin/python.py</P> Wed, 22 Apr 2020 06:04:03 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481854#M82589 DataOrg 2020-04-22T06:04:03Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481855#M82590 <P>Hi,</P> <P>Please try below config on Indexer/Heavy Forwarder whichever comes first from UF.</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-sourceextract = get_script_from_source </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[get_script_from_source] SOURCE_KEY = MetaData:Source REGEX = ([^\/]+$) FORMAT = script_name::$1 WRITE_META=true </CODE></PRE> <P>On Search Head</P> <P>fields.conf</P> <PRE><CODE>[script_name] INDEXED = true </CODE></PRE> Wed, 22 Apr 2020 08:31:44 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481855#M82590 harsmarvania57 2020-04-22T08:31:44Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481856#M82591 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163905">@harsmarvania57</a> not working.<BR /> error captured at splunkd.log</P> <P>04-22-2020 10:18:56.823 +0000 ERROR regexExtractionProcessor - REGEX field must be specified tranform_name=route_script_pg_thingworx</P> Wed, 30 Sep 2020 05:04:04 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481856#M82591 DataOrg 2020-09-30T05:04:04Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481857#M82592 <P>There was typo in transforms.conf configuration, it should be <CODE>SOURCE_KEY = MetaData:Source</CODE> , not <CODE>Metadata:Source</CODE>. I have updated my answer with correct configuration.</P> Wed, 22 Apr 2020 10:53:31 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481857#M82592 harsmarvania57 2020-04-22T10:53:31Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481858#M82593 <P>@harsmarvania57 thanks its worked but it not picking a metadata value.<BR /> i want to create a new field with static value(hardcoded value). how to create it ?<BR /> script_name = abc.py</P> Wed, 22 Apr 2020 11:30:24 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481858#M82593 DataOrg 2020-04-22T11:30:24Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481859#M82594 <P>What do you mean by "metadata value" ? You mentioned in your question that you want to create new indexed time field based on source and now you are saying that you want to hardcode the value at index time, I am confused now. Please clarify what you want to achieve.</P> Wed, 22 Apr 2020 11:33:27 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481859#M82594 harsmarvania57 2020-04-22T11:33:27Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481860#M82595 <P>i want to create a field with hard-corded script name value during index time itself since i cant use source field it was pointing something, </P> Wed, 22 Apr 2020 11:51:20 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481860#M82595 DataOrg 2020-04-22T11:51:20Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481861#M82596 <P>Remove above props &amp; transforms config and try below configuration on UF</P> <P>inputs.conf</P> <PRE><CODE>[script://path/your_script.py] _meta = script_name::abc.py </CODE></PRE> Wed, 22 Apr 2020 13:10:22 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481861#M82596 harsmarvania57 2020-04-22T13:10:22Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481862#M82597 <P>@harsmarvania57 thanks , it worked</P> Thu, 23 Apr 2020 06:07:56 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481862#M82597 DataOrg 2020-04-23T06:07:56Z https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481863#M82598 <P>Welcome ..</P> Thu, 23 Apr 2020 10:13:32 GMT https://community.splunk.com/t5/Getting-Data-In/i-need-to-index-the-source-field-value-into-new-fields-during/m-p/481863#M82598 harsmarvania57 2020-04-23T10:13:32Z