Getting Data In

Override source field in the indexers

isha_rastogi
Path Finder

I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it.

source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi"

I want the source field to extract

source =abcde000001234:1111

I tried to override the field using props and transforms

Transforms.conf
[source]
REGEX =(.*)(:\/\/)(.*)(\/jmxrmi)
FORMAT = source::$3
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

Props.conf  
[jmx]
REPORT-source = source
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 50

However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?

1 Solution

woodcock
Esteemed Legend

In props.conf, change this:

REPORT-source = source

To this:

TRANSFORMS-source = source

Then deploy to all Heavy Forwarders and restart all Splunk instances on them.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??

0 Karma

woodcock
Esteemed Legend

In props.conf, change this:

REPORT-source = source

To this:

TRANSFORMS-source = source

Then deploy to all Heavy Forwarders and restart all Splunk instances on them.

isha_rastogi
Path Finder

It worked on new indexed data. Thanks!!

0 Karma

isha_rastogi
Path Finder

Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.

0 Karma

woodcock
Esteemed Legend

Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You've a great eye in finding these...:)

0 Karma

woodcock
Esteemed Legend

I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...