I've had a hard time finding an answer to this, so hoping out there in Splunk-land can assist resolving this once and for all..
If i have the following config in props.conf
[syslog]
TRANSFORMS-regular = regular
[bettersyslog]
TRANSFORMS-better = better
[bestsyslog]
and the following in transforms.conf:
[regular]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::bettersyslog
[better]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::bestsyslog
and i ingest a file as `sourcetype=syslog`, will it be transformed to `bestsyslog`?
↧