Getting Data In
Highlighted

Override source field in the indexers

Path Finder

I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it.

source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi"

I want the source field to extract

source =abcde000001234:1111

I tried to override the field using props and transforms

Transforms.conf
[source]
REGEX =(.*)(:\/\/)(.*)(\/jmxrmi)
FORMAT = source::$3
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

Props.conf  
[jmx]
REPORT-source = source
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 50

However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?

Highlighted

Re: Override source field in the indexers

Esteemed Legend

In props.conf, change this:

REPORT-source = source

To this:

TRANSFORMS-source = source

Then deploy to all Heavy Forwarders and restart all Splunk instances on them.

View solution in original post

Highlighted

Re: Override source field in the indexers

SplunkTrust
SplunkTrust

You've a great eye in finding these...:)

0 Karma
Highlighted

Re: Override source field in the indexers

Esteemed Legend

I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!

Highlighted

Re: Override source field in the indexers

Path Finder

Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.

0 Karma
Highlighted

Re: Override source field in the indexers

Esteemed Legend

Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.

0 Karma
Highlighted

Re: Override source field in the indexers

Path Finder

It worked on new indexed data. Thanks!!

0 Karma
Highlighted

Re: Override source field in the indexers

SplunkTrust
SplunkTrust

Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??

0 Karma