https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21514#M3208 <P>Just to make sure - you're confident in that this forwarder you're sending from IS a Universal Forwarder and not some other kind of heavy forwarder?</P> Wed, 06 Feb 2013 13:02:27 GMT Ayn 2013-02-06T13:02:27Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21513#M3207 <P>Hello! <BR /> I have issue while getting my application logs data from universal forwarder working in my network.</P> <P>My configs on indexer server:</P> <P>1) props.conf</P> <P>[Planet3_Application_Logs]</P> <P>TRANSFORMS-001 = planet3_app_logs</P> <P>BREAK_ONLY_BEFORE = event id</P> <P>NO_BINARY_CHECK = 1</P> <P>SHOULD_LINEMERGE = true</P> <P>TIME_PREFIX = date</P> <P>TZ = Europe/Samara</P> <P>pulldown_type = 1</P> <P>2) transforms.conf</P> <P>[planet3_app_logs]</P> <P>REGEX = event id</P> <P>FORMAT = sourcetype::Planet3_Application_Logs</P> <P>DEST_KEY = MetaData:Sourcetype</P> <P>So, i used this manual</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides</A></P> <P>And as result i see, that all my logs are coming in FROM UNIVERSAL forwarder in automate assigned xml sourcetypes by splunk indexer. However, local data inputs in my custom sourcetypes work fine</P> <P>What's the problem?</P> Mon, 28 Sep 2020 13:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21513#M3207 splnktester 2020-09-28T13:14:43Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21514#M3208 <P>Just to make sure - you're confident in that this forwarder you're sending from IS a Universal Forwarder and not some other kind of heavy forwarder?</P> Wed, 06 Feb 2013 13:02:27 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21514#M3208 Ayn 2013-02-06T13:02:27Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21515#M3209 <P>Yes. I'm sure</P> Thu, 07 Feb 2013 11:04:19 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21515#M3209 splnktester 2013-02-07T11:04:19Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21516#M3210 <P>UP question!</P> Tue, 05 Mar 2013 15:37:41 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-overriding-per-event-custom-sourcetypes-while-getting/m-p/21516#M3210 splnktester 2013-03-05T15:37:41Z