Hi all,

I'm monitoring a set of logs using Splunk input.
By default they have the sourcetype "others-sourcetype" and using a transform I generate, for some of them, the source type "my-sourcetype" which is generated dinamically.

Splunk reads "others-sourceytpe" props.conf stanza and it applies only "TRANSFORMS-sourcetype_override", which change correctly the sourcetype "others-sourceytpe" into "my-sourcetype", but it ignore all other configurations: LINE_BREAKER , SEDCMD-blfRemover and so on.
Also, even if Splunk change "others-sourceytpe" into "my-sourcetype" it does not use again props.conf to read "my-sourcetype" stanza, so Splunk doesn't apply any event manipulation options

Can you help me to understand which is the precedence of the props.conf stanzas and options?

props.conf:

[others-sourcetype]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
CHARSET = UTF-8
disabled = false
TRUNCATE = 100000
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d+\s+\w+)
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%4N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 24
SEDCMD-blfRemover = s/\x0A//g
SEDCMD-acrRemover = s/\x0D//g
TRANSFORMS-giorno=add_giorno
TRANSFORMS-sourcetype_override = others-sourcetype_logs_override
category = Custom
pulldown_type = 1


[my-sourcetype]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
CHARSET = UTF-8
disabled = false
TRUNCATE = 100000
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d+\s+\w+)
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%4N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 24
SEDCMD-blfRemover = s/\x0A//g
SEDCMD-acrRemover = s/\x0D//g
TRANSFORMS-anno = anno

transforms.conf:

[others-sourcetype_logs_override]
REGEX = \/home\/user\/Desktop\/(.*)\/.*.log
SOURCE_KEY = MetaData:Source
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype

[add_giorno]
REGEX = (?<giorno>^\d\d\d\d-\d\d-\d\d)
FORMAT = giorno::$1
WRITE_META = true

[anno]
REGEX = (?<anno>^\d\d\d\d)
FORMAT = anno::$1
WRITE_META = true

[mese]
REGEX =  (?<mese>^\d\d\d\d-\d\d)
FORMAT = mese::$1
WRITE_META = true