So our current set up is the Splunk DBConnect is installed in one of our indexers. So i put my props and transforms in the indexer instance.

I'm trying to change the source field using the data from the query, So far I have successfully done this by copying one of the raw events from splunk then tried indexing it with the sourcetype that i configured.

But I when create an input in the dbconnect and applying that sourcetype, the source is not overriden.

the props/transforms work in my local when i upload the sample data below

props

    [coe]
    TRANSFORMS-get_source = get_source

transforms

[get_source]
REGEX = SNPSHOT_DTTM="(?<capture1>\d+)-(?<capture2>\d+)-(?<capture3>\d+)\s(?<capture4>\d+):(?<capture5>\d+):\d+.\d",\smetric_period="(?<capture6>\w+)",\scurrent_or_prior="(?<capture7>\w+)"
DEST_KEY = MetaData:Source
FORMAT = source::coe_$6_$7_$1$2$3$4$5

sample data

2018-08-14 04:58:25.000, SNPSHOT_DTTM="2018-08-14 04:58:25.0", metric_period="lcd", current_or_prior="current", OWNRSHP_ID="10", BTLR_SETL_BRANCH_NO="0000086023", LCD_BEG_DT="2018-07-10", LCD_END_DT="2018-07-10", LCD_QTY_RAW="0.00000", LCD_QTY_SPC="0.00000", LCD_QTY_KEQ="0.00000", LCD_OFF_INV_DISC="0.00000", LCD_OFF_INV_CTM_DISC="0.00000", LCD_OFF_INV_CMA_DISC="0.00000", LCD_ON_INV_DISC="0.00000", LCD_ON_INV_CTM_DISC="0.00000", LCD_ON_INV_CMA_DISC="0.00000", RECV_FILE_NAME="INVCCE_8602320180126.CMP", RECV_TIME_STAMP="2018-03-09 10:14:17.28", RECV_BAL_FLAG="B", RECV_CMPLT_FLAG="C"