So, here's my admittedly dumb situation. I have an IPAM appliance(s) that does both DNS and DHCP. The output port for the logs isn't configurable according to the admin, so we're stuck with udp/514. Normally, getting two different IPs into the same port and differentiating traffic is pretty straightforward... but that's not what I have.
Can I somehow take one IP (say 192.168.1.1) with two different set of logs (DNS and DHCP) and somehow import that into two different sourcetypes? Can I determine sourcetype with a regex somehow?
In props.conf (assuming the current sourcetype is udp:514)
[udp:514]
TRANSFORMS-set_sourcetype_ipam = ipam_sourcetype_dns, ipam_sourcetype_dhcp
In transforms.conf
[ipam_sourcetype_dns]
REGEX = <regex for dns event>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dns
[ipam_sourcetype_dhcp]
REGEX = <regex for dhcp>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dhcp
You will need to develop your own regexes for the two event types, and put that in the transforms.conf file, and then all future events will be sourcetype'd appropriately.
It possible using a transform and props conf. You will have to come up with a regex that will capture the event when a match occurs you will overwrite the meta field for sourcetype. This can be done on a heavy forwarder or indexer.