Splunk Noob. I have a custom http sourcetype with multiple data sources. For one of these sources (aws:firehose), I need to concatenate a field value (ecs_task_definition) to the source value, then do a regex or an eval at some point to remove the trailing colon and numbers, preferably all at index time. I've been advised the field=ecs_task_definition will contain a few hundred dynamic values that will change from time to time, so I can't assign these statically. My example: sourcetype=httpevent source=aws:billing source=aws:s3 source=aws:inspector source=aws:firehose ecs_task_definition=arc-permission-service-worker:100 ecs_task_definition=arc-enrollment-service:182 ecs_task_definition=arc-reporting-service:234 ecs_task_definition=arc-tenant-service:332 I would like the final result to look like: source=aws:firehose:arc-tenant-service source=aws:firehose:arc-reporting-service I have been trying to do this in props and transforms without success. I think I'm having both syntax problems added to a general lack of understanding of what I can and can't do at index time verses search time. Any help would be much appreciated. Thanks ... View more