I am testing splitting sourcetypes for a one time indexed file on my test box. All time formats are parsed correctly when the log ingests. The file splits just fine into exactly as many events as expected.

But there are 3 sourcetypes I need to split it into: Send, receive and scan as the message section of the logs vary heavily. The regex has been tested and works fine. No errors from btool.

inputs.conf

 [monitor://C:\\Users\\<user>\\Desktop\\security\\Splunk\\DEVELOPMENT\\Test_Ingest\\test_raw_spam.txt]
 disabled = false
 sourcetype = test_barracuda
 index = test

props.conf - to note, I tried the TRANSFORMS- line in the test_barracuda stanza, but still no results.

[test_barracuda]
CHARSET=AUTO
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Custom
disabled=false
pulldown_type=true

[source:\\C:\\Users\\<user>\\Desktop\\security\\Splunk\\DEVELOPMENT\\Test_Ingest\\test_raw_spam.txt]
TRANSFORMS-changesourcetype = send_set_sourcetype, recv_set_sourcetype, scan_set_sourcetype

Transfoms.conf

[send_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sSEND\s)
FORMAT = sourcetype::test_send

[recv_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sRECV\s)
FORMAT = sourcetype::test_recv

[scan_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sSCAN\s)
FORMAT = sourcetype::test_send

When I do a search after resetting, I am not seeing any results in the new sourcetypes, only in test_barricuda. Any thoughts?

I forced re-indexing of all file monitors because of the fact that this was a one time monitor, still no results in new sourcetypes.

command used:

splunk clean eventdata _thefishbucket