- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Override source field in the indexers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured heavy weight forwarders to get the JMX server data. While forwarding the data to indexers, source field displays the path of those servers. I want to reduce the unwanted strings and override the source field with only server names in it.
source="service:jmx:rmi:///jndi/rmi://abcde000001234:1111/jmxrmi"
I want the source field to extract
source =abcde000001234:1111
I tried to override the field using props and transforms
Transforms.conf
[source]
REGEX =(.*)(:\/\/)(.*)(\/jmxrmi)
FORMAT = source::$3
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source
Props.conf
[jmx]
REPORT-source = source
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 50
However, I am able to extract different field capturing only desired output using inline search.
But I want the source field to display only the host name from where data is coming and remove all irrelevant strings. Is there any way to get it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf, change this:
REPORT-source = source
To this:
TRANSFORMS-source = source
Then deploy to all Heavy Forwarders and restart all Splunk instances on them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you apply the props.conf and transforms.conf?? Heavy forwarders right??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf, change this:
REPORT-source = source
To this:
TRANSFORMS-source = source
Then deploy to all Heavy Forwarders and restart all Splunk instances on them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked on new indexed data. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already tried replacing Report to transforms and got no success. I want to change the source field in the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexed data is immutable; are you checking new events or old events? Old events cannot be changed. You can delete it, clear the fishbucket and re-forward it, though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've a great eye in finding these...:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done everything wrong that it is possible to do wrong; education by scars keeps memory sharp!
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
