I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it.
I want the source field to extract
I tried to override the field using props and transforms
Transforms.conf [source] REGEX =(.*)(:\/\/)(.*)(\/jmxrmi) FORMAT = source::$3 SOURCE_KEY=MetaData:Source DEST_KEY = MetaData:Source Props.conf [jmx] REPORT-source = source SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 50
However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?
props.conf, change this:
REPORT-source = source
TRANSFORMS-source = source
Then deploy to all Heavy Forwarders and restart all Splunk instances on them.
Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.
Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.