We are receiving several logs via syslog UDP 514, there are several transforms for each of the log types. One of them is Cisco ASA logs. So after overriding the sourcetype I would like to apply a TZ = UTC on it and not on the rest of the logs that also come in via syslog. Is this possible since the sourcetype first needs to be extracted and I believe that props and transform only have one pass per event.
transforms.conf
[asa_override_sourcetype]
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype
props.conf
[source::udp:514]
TRANSFORMS-changesourcetype = cisco_ise_sourcetype, cisco_ise_source, asa_override_sourcetype
How can I add another action and apply it to the asa sourcetype.
I don't believe that is possible. The time stamping of the data is one of the first things that happen when data comes in (Merging Queue). Re-sourcetyping is one of the last (Typing Queue). You may need to rethink your application keeping this in mind
For more on what happens when see these graphics:
https://wiki.splunk.com/Community:HowIndexingWorks
I believe the TZ assignment happens before the TRANSFORMS is applied, so it may not be possible to update the TZ after that, for just one sourcetype.
https://wiki.splunk.com/Community:HowIndexingWorks
You can give it a try by adding this in props.conf (less positive about if it'll work)
[cisco:asa]
TZ = UTC