Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to set Source equal to filename in input.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a lot of documentation on how to set Host equal to filename or directory name, however i couldn't find anything on how to set source equal to file name?
[monitor://.......\fil.log]
disabled=0
source=???
sourcetype= logFile
props.conf
[logFile]
setting
.
.
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this as the REGEX in your transforms.conf
[replacedefaultsource]
SOURCE_KEY = MetaData:Source
REGEX = E:\\Users\\([^\\]+)\\fil.txt
DEST_KEY = MetaData:Source
FORMAT= source::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this as the REGEX in your transforms.conf
[replacedefaultsource]
SOURCE_KEY = MetaData:Source
REGEX = E:\\Users\\([^\\]+)\\fil.txt
DEST_KEY = MetaData:Source
FORMAT= source::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. That's exactly what i was looking for.
I also added another change which was removing [source::E:\Users\Documents\fil.txt] entirly from props.conf and moving TRANSFORMS-replace_source to sourcetype setting for anyone looking at this answer in the future.
[WindowsFile]
bunch of setting.....
TRANSFORMS-replace_source = replacedefaultsource
removed ([source::E:\Users\Documents\fil.txt]
TRANSFORMS-replace_source = replacedefaultsource)
Do you know why I had to do that? does splunk prioritize sourcetype setting than other settings in props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The source of an event is the name of the file, stream, or other input from which the event originates. For data monitored from files and directories, the value of source is the full path, such as /archive/server1/var/log/messages.0 or /var/log/. The value of source for network-based data sources is the protocol and port, such as UDP:514
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Aboutdefaultfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answering, but this is what I have
[monitor://E:\Users\Documents\fil.txt]
disabled=0
Sourcetype = WindowsFile
queue = parsingQueue
props.conf
[WindowsFile]
bunch of setting.....
[source::E:\Users\Documents\fil.txt]
TRANSFORMS-replace_source = replacedefaultsource
Tranforms.conf
[replacedefaultsource]
SOURCE_KEY = MetaData:Source
REGEX = E:\Users\(Documents)\fil.txt
DEST_KEY = MetaData:Source
FORMAT= source::$1
That's the setting that i have and it's not working, I don't want to full path, I just want the filename. this is what i have and it's not working?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
