https://community.splunk.com/t5/Getting-Data-In/What-are-the-sequence-of-execution-transforms-across-different/m-p/448697#M77985 <P>Hi,</P> <P>We want to change sourcetype and then send data to two different Splunk Indexers.</P> <P>What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the seconds props.conf stanza present in the apps folder is not working (It is only sending the logs to default output group).</P> <P>Configuration files for change <STRONG>sourcetypes</STRONG> are located in the <STRONG>/system/local</STRONG> folder and <STRONG>route data</STRONG> configuration files are in the <STRONG>/apps/application/local/</STRONG> folder. </P> <P>Does anyone have similar issue? Thanks!</P> <P><STRONG>SPLUNK_HOME/etc/system/local/</STRONG></P> <P>props.conf</P> <PRE><CODE>[source::/abc/xyz.log] TRANSFORMS-changesourcetype = st </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[st] REGEX = \.*\[12345]\.* FORMAT = sourcetype::sourcetype1 DEST_KEY = MetaData:Sourcetype </CODE></PRE> <P><STRONG>SPLUNK_HOME/etc/apps/application/local</STRONG></P> <P>props.conf</P> <PRE><CODE>[sourcetype1] TRANSFORMS-routing = route_data </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[route_data] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = indexer1, indexer2 </CODE></PRE> Fri, 08 Feb 2019 01:15:52 GMT fxyfrank_acn 2019-02-08T01:15:52Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-sequence-of-execution-transforms-across-different/m-p/448697#M77985 <P>Hi,</P> <P>We want to change sourcetype and then send data to two different Splunk Indexers.</P> <P>What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the seconds props.conf stanza present in the apps folder is not working (It is only sending the logs to default output group).</P> <P>Configuration files for change <STRONG>sourcetypes</STRONG> are located in the <STRONG>/system/local</STRONG> folder and <STRONG>route data</STRONG> configuration files are in the <STRONG>/apps/application/local/</STRONG> folder. </P> <P>Does anyone have similar issue? Thanks!</P> <P><STRONG>SPLUNK_HOME/etc/system/local/</STRONG></P> <P>props.conf</P> <PRE><CODE>[source::/abc/xyz.log] TRANSFORMS-changesourcetype = st </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[st] REGEX = \.*\[12345]\.* FORMAT = sourcetype::sourcetype1 DEST_KEY = MetaData:Sourcetype </CODE></PRE> <P><STRONG>SPLUNK_HOME/etc/apps/application/local</STRONG></P> <P>props.conf</P> <PRE><CODE>[sourcetype1] TRANSFORMS-routing = route_data </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[route_data] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = indexer1, indexer2 </CODE></PRE> Fri, 08 Feb 2019 01:15:52 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-sequence-of-execution-transforms-across-different/m-p/448697#M77985 fxyfrank_acn 2019-02-08T01:15:52Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-sequence-of-execution-transforms-across-different/m-p/448698#M77986 <P>The sourcetype is only checked once as the event enters the pipeline. So change your routing to be for <CODE>[source::/abc/xyz.log]</CODE> instead</P> Fri, 08 Feb 2019 05:49:36 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-sequence-of-execution-transforms-across-different/m-p/448698#M77986 chrisyounger 2019-02-08T05:49:36Z