Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.
Since the data set isn’t large, planing on regular expression to redefine field title. Insert
| rex field=_raw "|\s+title:\s+(?
... View more