I would like to set the logs sourcetype dynamically based on the value of the TRANSPORT field. Here is the props.conf and transforms.conf that I'm trying to use
props.conf:
[default]
TRANSFORMS-change_sourcetype = set_new_sourcetype
transforms.conf
[set_new_sourcetype]
REGEX = TRANSPORT=([^\s]+)
FORMAT = sourcetype::test
DEST_KEY = MetaData:Sourcetype
Unfortunately the above seems to have no impact on the logs. I think that the problem lies in the REGEX field. When I change it to REGEX = .* , all of the events have the sourcetype set to test as expected. Why can't I use the TRANSPORT event in the REGEX?