Hi, I'm using the Journald input in univarsal forwarder to collect logs form journald: https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/CollecteventsfromJournalD. The data comes to my indexer as expected. One of the fields that I send with the logs is the TRANSPORT field. When I search the logs I can see that TRANSPORT event metadata is present as expected.

 

I would like to set the logs sourcetype dynamically based on the value of the TRANSPORT field. Here is the props.conf and transforms.conf that I'm trying to use

 

props.conf:

[default]

TRANSFORMS-change_sourcetype = set_new_sourcetype

 

transforms.conf

[set_new_sourcetype]

REGEX = TRANSPORT=([^\s]+)

FORMAT = sourcetype::test

DEST_KEY = MetaData:Sourcetype

 

Unfortunately the above seems to have no impact on the logs. I think that the problem lies in the REGEX field. When I change it to REGEX = .* , all of the events have the sourcetype set to test as expected. Why can't I use the TRANSPORT event in the REGEX?