Splunk can definitely what you are trying to do, maybe in too many ways :). I think finding the one that works for you is the key and I think you are close in your options 1 & 2. (I'd ditch #3.) option #1 this is probably the simplest way. I'd start here. I am not sure I grok why the source field is a problem with using the data, but it can definitely be replaced using props/transforms versus hardcoding in the inputs. This should allow Splunk to use it to grab your desired hostname with "host_regex" in inputs.conf, then we can overwrite it in a props/transforms as the data flows through the pipeline. I suggest simply using an ingest eval stanza like: ## props.conf
[my:sourcetype]
TRANSFORMS = source_override
## transforms.conf
[source_override]
INGEST_EVAL = source:="my_simple_source" Option #2 This may provide even more flexibility in your logic for setting the fields you want. I would also use "ingest_eval" here as well versus the general props/transforms as it provides some powerful logic that regex alone may not be suitable for. https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/IngestEval I believe the issue you may be hitting with losing the hostname is that your current approach relies on the hostname being present in the raw data, which may not happen when linebroken. Instead with ingest_eval we can write some logic that allows us to manipulate the metadata you get to achieve your goal. Technically you would just be re-implementing the "host_regex" logic here tho, so might be overkill, but might be useful if needed for advanced uses and wouldn't be limited to only the source field. ## props.conf
[my:sourcetype]
TRANSFORMS = extract_host_from_source,source_override
## transforms.conf
[extract_host_from_source]
SOURCE_KEY = MetaData:Source
REGEX = <some_regex_that_extracts_your_host_value>
FORMAT = host::$1
DEST_KEY = MetaData:Host
# once you have the hostname from source, now overwrite it!
[source_override]
INGEST_EVAL = source:="my_simple_source" tldr: ingest_eval is mad powerful and allows you to refer to fields or metadata that exists already and apply powerful eval logic that goes well beyond what I showed here. I've even done conditional field overrides based on fields extracted, etc. It's super cool and leads into ingest actions world eventually. Note: I wrote this pseudocode style, haven't tested them against data. If you have some sample data happy to try and tune them if you run into issues. References: https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Overridedefaulthostassignments https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/IngestEval https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Transformsconf#:~:text=INGEST_EVAL%20%3D%20%3Ccomma%2Dseparated,Optional.%0A*%20Default%3A%20empty
... View more