First things first, I would recommend restarting Splunk to make sure your configuration is loaded.
Next, you might want to try running btool or S.o.S to see what the config is that Splunk is running with.
$SPLUNK_HOME/bin/splunk cmd btool props list --debug iport-syslog
That should help with figuring out if there are any other props.conf stanza's that could be overriding the sourcetype renaming that you are attempting.
Lastly, you can also add the sourcetype rename at search time with the rename parameter in props.conf
EDIT: One more thing, you might want to try changing the dash to an underscore in the sourcetype name. Splunk might try to change that internally and that could also be causing the transform to not hit as it could be looking for iport_syslog.
I have changed the "-" to "_". Thank you for your suggestion.
I have also verified with btool that there are no overrides for iport_syslog. The only processing is done by those props/transforms.
At this point I am baffled. All the transforms I have in the file work like a charm and the events show up formatted exactly like I want them to. The sourcetype rename is not kicking in. There is something I am missing but I can't see it!
Hi somesoni. I am doing this because I will need, in the near future, to be able to triage those events to different sourcetypes. This is just a test to see if it works. And, obviuosly, for now it doesn't.