Hello guys,

my name is Fabio and I have a problem. 😞

This is the situation: the heavy forwarder receives events on udp:514 and I need to split them into N sourcetypes, according to regexps defined in transforms.conf (this part works).

The problem is that each sourcetype has a different timestamp format and I need the timestamp of each event to be properly parsed.

I tried this: through a TRANSFORM rule I changed the sourcetype of the event and then, through a following TRANSFORM rule, I tried to move it to the parsingQueue, but that didn't make the trick. The timestamp is wrongly parsed once again.

Also notice that I can't follow the solution suggested here (http://answers.splunk.com/answers/79645/changing-timestamp-and-sourcetype-based-on-record-type) as I'm not aware of the format of timestamps of other sourcetypes, as some of them are automatically parsed and I don't have log samples. If I set a time format in [source::udp:514] I'm afraid I would probably mess up timestamp recognition for other events.

Is there a way to do this? If the parsingQueue solution didn't work, I'm afraid I didn't get very well how the whole input+parsing+indexing process works in Splunk.

Thanks! 🙂