There is a threat log with 2 sub_types (url and vulnerability) and sample data are as below.

panwlogs-,2022-12-15T08:42:04.000000Z,no-serial,THREAT,url,10.0,2022-12-15T08:41:45.000000Z,x.x.x.x,x,x,user,,ssl,vsys1,x,untrust,tunnel.101,ethernet1/1,x,560330,1,60906,8292,55427,8292,protocol,action,7317,713,6604,15,2022-12-15T08:39:46.000000Z,0,any,4912899,src_location,US,6,9,decrypt-cert-validation,65541,65542,65550,0,,x,from-policy,,,0,,0,1970-01-01T00:00:00.000000Z,N/A,0,0,0,0,x,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2022-12-15T08:41:46.419000Z,,

panwlogs-,2022-12-14T14:06:10.000000Z,no-serial,THREAT,vulnerability,10.0,2022-12-14T14:06:05.000000Z,src_ip,dest_ip,nat_src_ip,dest_ip,rule,src_user,,echo,vsys1,usodev,untrust,tunnel.102,ethernet1/1,log_forwarding,230581,6,45060,7,34147,7,protocol,action,,threat_id,Informational,client to server,174106,1src_location,dest_location,0,,,0,,,,,0,65541,65542,65550,0,,usodev,,,0,,0,1970-01-01T00:00:00.000000Z,N/A,protocol-anomaly,session_id,0x2,00000000-0000-0000-2300-000000000000,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2022-12-14T14:06:05.521000Z,

Both events have different set of fields. If the sub_type is url, one set of field extraction should happen, if the sub_type is vulnerability, second set of field extraction should happen. The requirement is to combine both the sub_types under same sourcetype "threat". Is it possible to do so ?

props.conf

[threat]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
EXTRACT-log_st=(?:THREAT,)(?<sub_type>.*?),

EVAL-extract_threat=case(sub_type="url", "extract_url", sub_type="vulnerability" ,"extract_vulnerability")

REPORT-search = "Is it possible to pass extract_url or extract_vulnerability based on the event ?"

transforms.conf

[extract_url]
DELIMS = ","
FIELDS = URL_field1,url_field2...

[extract_vulnerability]

DELIMS = ","
FIELDS = vul_field1,vul_field2....