We are receiving several logs via syslog UDP 514, there are several transforms for each of the log types. One of them is Cisco ASA logs. So after overriding the sourcetype I would like to apply a TZ = UTC on it and not on the rest of the logs that also come in via syslog. Is this possible since the sourcetype first needs to be extracted and I believe that props and transform only have one pass per event.
I don't believe that is possible. The time stamping of the data is one of the first things that happen when data comes in (Merging Queue). Re-sourcetyping is one of the last (Typing Queue). You may need to rethink your application keeping this in mind