I need to extract a field that is a substring from 'source' field. My intention was to use something like a regex in transforms.conf, but seems I can't do it because 'source' is metadata. So, once 'source' is not in raw event, what is the better (or only) way to do this extraction?
Hi bshuler [Splunk]
if you want to maintain the original source and create a new field, you could extract this field in your search
your_search | rex field=source "your_regex"
or using the web field extraction inserting in the regex
your_regex in source