https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63388#M12722 <P>there are multiple log files in the directory and they are being assigned a sourcetype in the props.conf dynamically...I tried to simplify the information because I didn't think it was relevant...I will add the stanza</P> Tue, 18 Sep 2012 14:59:20 GMT peter_gianusso 2012-09-18T14:59:20Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63385#M12719 <P>Trying to assign the "esxi_hosts" sourcetype to any event that has a value of "vm[0-9][0-9]" for the host field:</P> <P>inputs.conf</P> <PRE><CODE>[monitor://\\njros1bva0597\d$\LogFiles\W3SVC1\] disabled = 0 host = VM99 index=imaging whitelist = \.log$ </CODE></PRE> <P>props.conf</P> <PRE><CODE>[source::...\\ex*.log] sourcetype = VM88 [source::...\\CAPPM*.log] sourcetype = VM11 </CODE></PRE> <P>[VM88]</P> <PRE><CODE>TRANSFORMS-hostname = rewrite_sourcetype_from_host </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[rewrite_sourcetype_from_host] SOURCE_KEY = MetaData:Host REGEX = vm\d\d DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::esxi_hosts </CODE></PRE> Tue, 18 Sep 2012 14:37:55 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63385#M12719 peter_gianusso 2012-09-18T14:37:55Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63386#M12720 <P>source type always ends up as VM88</P> Tue, 18 Sep 2012 14:39:10 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63386#M12720 peter_gianusso 2012-09-18T14:39:10Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63387#M12721 <P>maybe I'm missing something... can't you just set the sourcetype in the monitor stanza in inputs.conf</P> <P><CODE>[monitor]<BR /> sourcetype=esxi_hosts<BR /> blah blah<BR /> blah<BR /> etc.<BR /> etc.<BR /> </CODE></P> Tue, 18 Sep 2012 14:56:37 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63387#M12721 kristian_kolb 2012-09-18T14:56:37Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63388#M12722 <P>there are multiple log files in the directory and they are being assigned a sourcetype in the props.conf dynamically...I tried to simplify the information because I didn't think it was relevant...I will add the stanza</P> Tue, 18 Sep 2012 14:59:20 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63388#M12722 peter_gianusso 2012-09-18T14:59:20Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63389#M12723 <P>let us know if this fixes the issue, and i will convert Kristian's comment to an answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Sep 2012 18:17:08 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63389#M12723 piebob 2012-09-18T18:17:08Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63390#M12724 <P>no that won't fix the issue given the scenario...the source type is dynamically assigned in the props.conf</P> Tue, 18 Sep 2012 18:18:47 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63390#M12724 peter_gianusso 2012-09-18T18:18:47Z https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63391#M12725 <P>a fix to the regex of <BR /> vm\d\d <BR /> to <BR /> VM\d\d <BR /> <CODE><BR /> </CODE>fixed the issue</P> Tue, 18 Sep 2012 18:19:37 GMT https://community.splunk.com/t5/Getting-Data-In/Renaming-Host-Dynamically/m-p/63391#M12725 peter_gianusso 2012-09-18T18:19:37Z