Hi Splunkers,

for an addon I'm making, I need to perform a sourcetype override.
The general mechanis is clearly explained on this documentation: Override source types on a per-event basis and I used it with different result.

If I use, in the props.conf file, a sourcetype like <spec>, it works fine; so, if my data born with sourcetype A, and A is puttend in the props.conf as spec, and I want to override it with B, where B is putted in transforms.conf under the proper regex, nothing goes wring and I achieve the desiderd result.

Now, suppose I want switch, in prop.conf file for <spec> parameter, from a sourcetype to a source and that this source is a file under a specific location. Of course, I could put the full path of source; but, for different reasons, this path may change in our production environment, so I need to switch from full path to a partial one; the worst case is whre we must change from:

C:\sub1\sub2\sub3.test_file.txt

to:

...\test_file.txt

So, my question is: what is the proper wildcard syntax to achieve this purpose? I tried until now:

...\test_file.txt
C:\...\test_file.txt
//C:\...\test_file.txt

but they does not work and the sourcetype is not overriden.