https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758865#M120301 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thats a good question actually. I was just presuming that splunk software would support the use case, where two different files have the same kind of data and can thus be treated as the same sourcetype.</P><P>I ended up creating a second sourcetype, as suggested but the outcome is still the same. I also introduced a filter to drop undesired events before ingestion (only keep events that begin with "&lt;event ").</P><P><BR />props.conf</P><LI-CODE lang="markup">[source::/tmp/logs/.../qwe/.../*EventLogger.log*] priority = 100 TZ = UTC sourcetype = eventlogger [eventlogger] KV_MODE = xml TIME_PREFIX = timestamp=" TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z MAX_TIMESTAMP_LOOKAHEAD = 25 REPORT-mydefault = sourcefields-mydefault [source::/tmp/logs/.../qwe/.../*eventlog*.xml*] priority = 100 TZ = UTC sourcetype = eventlog [eventlog] KV_MODE = xml TIME_PREFIX = timestamp=" SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = &lt;event TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z MAX_TIMESTAMP_LOOKAHEAD = 25 REPORT-mydefault = sourcefields-mydefault TRANSFORMS-null=setnull,eventlog-strip </LI-CODE><P>transforms.conf</P><LI-CODE lang="markup">[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [eventlog-strip] REGEX = ^&lt;event\s DEST_KEY = queue FORMAT = indexQueue [sourcefields-mydefault] SOURCE_KEY = source REGEX = /tmp/logs/(.*?)/(.*?)/(.*?)/ FORMAT = asd::$1 qwe::$2 yxc::$3</LI-CODE><P>&nbsp;</P> Fri, 27 Feb 2026 14:29:23 GMT zapping575 2026-02-27T14:29:23Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758860#M120298 <P>I have these two files:</P><UL><LI>EventLogger.log</LI><LI>HOSTNAME-eventlog-TIMESTAMP.xml</LI></UL><P>The structure of their content is the same. Except that the .xml file may contain "&lt;eventlog&gt;" and "&lt;/eventlog&gt;" at beginning and end.</P><P>So I thought to use the same sourcetype for them.</P><P>This stanza is working fine:</P><LI-CODE lang="markup">[source::/tmp/logs/.../qwe/.../*EventLogger.log*] priority = 100 TZ = UTC sourcetype = eventlogger</LI-CODE><P>This one however, is not (splunk will apparently default and make a "xml-2" sourcetype):</P><LI-CODE lang="markup">[source::/tmp/logs/.../qwe/.../*eventlog*.xml*] priority = 100 TZ = UTC sourcetype = eventlogger</LI-CODE><P>&nbsp;</P><P>Using btool, I did confirm that on my indexer, the two stanzas above are actually present.</P><P>I feel like I am missing out on something here.</P> Fri, 27 Feb 2026 10:05:15 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758860#M120298 zapping575 2026-02-27T10:05:15Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758863#M120300 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241220">@zapping575</a>&nbsp;,</P><P>sorry for the question: how is it possible to use the same sourcetype with data source different?</P><P>I suppose that the parsing rules aren't the same for both formats.</P><P>I hint to use two sourcetypes.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 27 Feb 2026 11:20:23 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758863#M120300 gcusello 2026-02-27T11:20:23Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758865#M120301 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thats a good question actually. I was just presuming that splunk software would support the use case, where two different files have the same kind of data and can thus be treated as the same sourcetype.</P><P>I ended up creating a second sourcetype, as suggested but the outcome is still the same. I also introduced a filter to drop undesired events before ingestion (only keep events that begin with "&lt;event ").</P><P><BR />props.conf</P><LI-CODE lang="markup">[source::/tmp/logs/.../qwe/.../*EventLogger.log*] priority = 100 TZ = UTC sourcetype = eventlogger [eventlogger] KV_MODE = xml TIME_PREFIX = timestamp=" TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z MAX_TIMESTAMP_LOOKAHEAD = 25 REPORT-mydefault = sourcefields-mydefault [source::/tmp/logs/.../qwe/.../*eventlog*.xml*] priority = 100 TZ = UTC sourcetype = eventlog [eventlog] KV_MODE = xml TIME_PREFIX = timestamp=" SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = &lt;event TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z MAX_TIMESTAMP_LOOKAHEAD = 25 REPORT-mydefault = sourcefields-mydefault TRANSFORMS-null=setnull,eventlog-strip </LI-CODE><P>transforms.conf</P><LI-CODE lang="markup">[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [eventlog-strip] REGEX = ^&lt;event\s DEST_KEY = queue FORMAT = indexQueue [sourcefields-mydefault] SOURCE_KEY = source REGEX = /tmp/logs/(.*?)/(.*?)/(.*?)/ FORMAT = asd::$1 qwe::$2 yxc::$3</LI-CODE><P>&nbsp;</P> Fri, 27 Feb 2026 14:29:23 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758865#M120301 zapping575 2026-02-27T14:29:23Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758980#M120306 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241220">@zapping575</a>&nbsp;,</P><P>as you said, using two sourcetypes you can correctly parse both the data sources and using a similar name for the sourcetypes you can use both of them using asterisk:</P><LI-CODE lang="markup">sourcetype=eventlog*</LI-CODE><P>or (better) creating an eventtype</P><LI-CODE lang="markup">sourcetype IN (eventlog, eventlogger)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 03 Mar 2026 07:52:49 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758980#M120306 gcusello 2026-03-03T07:52:49Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758984#M120307 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>apologies if my previous post may have been ambiguous.</P><P>Out of the two source/sourcetype stanza combinations I posted, only the first one (eventlogger) is working as expected.</P><P>The second one does not work. Splunk just defaults to an "xml-2" sourcetype.</P> Tue, 03 Mar 2026 09:58:04 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758984#M120307 zapping575 2026-03-03T09:58:04Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758994#M120311 <P>The sourcetyper config works at the originating input component level.</P><PRE class="">sourcetype = &lt;string&gt; * Can only be set for a [source::...] stanza. * Anything from that &lt;source&gt; is assigned the specified source type. * Is used by file-based inputs, at input time (when accessing logfiles) such as on a forwarder, or indexer monitoring local files. * sourcetype assignment settings on a system receiving forwarded Splunk data are not be applied to forwarded data. * For log files read locally, data from log files matching &lt;source&gt; is assigned the specified source type. * Default: empty string</PRE> Tue, 03 Mar 2026 22:56:16 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/758994#M120311 PickleRick 2026-03-03T22:56:16Z https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/759013#M120314 <P>This was the deciding tip. Turs out there was an issue with the deployment server which is why the files were not rolled out to the forwarder. Thank you very much!</P> Wed, 04 Mar 2026 16:39:05 GMT https://community.splunk.com/t5/Getting-Data-In/props-source-stanza-will-not-match/m-p/759013#M120314 zapping575 2026-03-04T16:39:05Z