After looking over this, I did a quick scan on the forum. if your trying to split out the source field/s from VM126 you may need to use a another field or use the field winlogbeat_computer_name
The source field is normally for where the logs came from and it seams like your trying to separate them from all the clients. I think something like this
10 VM's ---> VM126 --> Graylog ---> Separated the 10 individual VM's again
