Hello fellow Splunkers, this is my first post here!
I am trying to configure per-event source type overriding. I have edited the following files:
REGEX = AgentDevice=WindowsLog
FORMAT = sourcetype::windows
DEST_KEY = MetaData:SourceType
TRANSFORMS-windows = windows_logs
After editing the files, I restarted Splunk. I am still seeing, however, messages like this:
<13>Oct 21 11:00:17 server.blah.com AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=22.214.171.1244723 Source=Microsoft-Windows-Security-Auditing [snip]
Notice that the event contains the string AgentDevice=WindowsLog, but the sourcetype is not changed. The source type "windows" exists, I created it.
Can you help with this configuration? It could be something really simple, I'm quite new to Splunk. Thanks!
The problem was a typo in my DEST_KEY field, which is case-sensitive.
Replacing with the following line, everything works.
DEST_KEY = MetaData:Sourcetype
View solution in original post