Hi,

The following is what we have.

• 1 x Forwarder(Heavy Forwarder)
• 1 x Indexer
• 1 x Search Head

We are attempting to forward multiple sourcetypes to the indexer with Parsing done on the Heavy Forwarder for each sourcetype.

Problem: Forwarder is Parsing and Forwarding sourcetype mydataA but not mydataB.
Can anyone help?

The following was configured in etc/system/local

inputs.conf
sourcetype = mydataB
index = mydataB

outputs.conf
[tcpout:indexer]
disabled = false
server = 1.1.1.1:9997
hearbeatFrequency = 45
defaultGroup = indexer
indexAndForward = false

props.conf
[mydataA]
TRANSFORMS-dataA = setnulla,setparsinga
[mydataA]
TRANSFORMS-dataB = setnullb,setparsingb

transforms.conf
[setnulla]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsinga]
REGEX = error
DEST_KEY = queue
FORMAT = indexQueue

[setnullb]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsingb]
REGEX = SUCCESSFUL
DEST_KEY = queue
FORMAT = indexQueue