So... I am attempting to setup a TCP input, which will automatically set metadata, from the event.

The _Raw looks like: {"time":"2017-01-31T15:51:56.9081571-06:00","index":"main","source":"ToolsTesting","host":"348SR52-OGS","Event":"Hello world"}

With the pretty version looking like:

{   [-] 
     Event:  Hello world    
     host:   348SR52-OGS    
     index:  main   
     source:     ToolsTesting   
     time:   2017-01-31T15:51:56.9081571-06:00  
}

So, the "Event" field contains the actual event, whether it be hello world, or a complex object, That piece is working....

But, I want to be able to set the source, host, index... etc, via fields located in my raw input.

So far, I have this....

Props:

[toolsjson]
INDEXED_EXTRACTIONS = json
KV_MODE = json
NO_BINARY_CHECK = true
category = Structured
description = Parse out messages
pulldown_type = 1
disabled = false
TRANSFORM-setsource=set_source_value

Transforms:

[set_source_value]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::$1

I guess the issue is.... I am not very familiar with how to properly use transforms to set the fields. I have looked over a few examples, and I am still slightly lost. Can somebody give me a bit of help?

As a bonus, I would like to strip the "metadata" out of my raw event, and only display the actual event.