I'm using the TA pfsense app and I am trying to fix some sourcetype extraction issues. The current app is supposed to use a transform to extract the sourcetype. Most logs have prepended time stamp, but nginx does not. There is a regex that uses a non-capture group to grab the timestamp in most logs and then select the log type for source. I edited this and added an or statement to get the nginx logs, but it does seem to work. So I then created a second transform for sourcetype to get the nginx logs, but that is not working either. What is the proper way to parse the same log stream multiple time inline with a regex and use a transform to label both logs with their proper sourcetypes. I can't see to find a good method for this in the docs. Thanks.
@chrisgangl, I had similar issues and found a solution that worked for me; see my post https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-....
If that doesn't help, I'm willing to share what little knowledge I've gained beating my head against the desk trying to get this to work for me!