Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Override source field in the indexers

isha_rastogi
Path Finder
‎09-15-2015 05:44 AM

I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it. 

source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi"

I want the source field to extract 

source =abcde000001234:1111

I tried to override the field using props and transforms 

Transforms.conf
[source]
REGEX =(.*)(:\/\/)(.*)(\/jmxrmi)
FORMAT = source::$3
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

Props.conf  
[jmx]
REPORT-source = source
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 50

However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-15-2015 08:26 AM

In props.conf, change this:

REPORT-source = source

To this:

TRANSFORMS-source = source

Then deploy to all Heavy Forwarders and restart all Splunk instances on them.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-15-2015 08:30 AM

Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-15-2015 08:26 AM

In props.conf, change this:

REPORT-source = source

To this:

TRANSFORMS-source = source

Then deploy to all Heavy Forwarders and restart all Splunk instances on them.

Reply
Solved! Jump to solution

isha_rastogi
Path Finder
‎09-17-2015 10:59 AM

It worked on new indexed data. Thanks!!

0 Karma
Reply
Solved! Jump to solution

isha_rastogi
Path Finder
‎09-15-2015 09:13 AM

Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-15-2015 09:32 AM

Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-15-2015 08:43 AM

You've a great eye in finding these...:)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-15-2015 08:53 AM

I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...