Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Override source field in the indexers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it.
source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi"
I want the source field to extract
source =abcde000001234:1111
I tried to override the field using props and transforms
Transforms.conf
[source]
REGEX =(.*)(:\/\/)(.*)(\/jmxrmi)
FORMAT = source::$3
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source
Props.conf
[jmx]
REPORT-source = source
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 50
However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf, change this:
REPORT-source = source
To this:
TRANSFORMS-source = source
Then deploy to all Heavy Forwarders and restart all Splunk instances on them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf, change this:
REPORT-source = source
To this:
TRANSFORMS-source = source
Then deploy to all Heavy Forwarders and restart all Splunk instances on them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked on new indexed data. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've a great eye in finding these...:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
