Change REGEX = newapp to REGEX = .
In your example, the sourcetype renaming would only happen to events that contain "newapp". REGEX=. means that it will apply to any events that pass through this transform.
Also, in props, you call it force_sourcetype_for_newapp , and in transforms, you call it force_source_for_newapp . They should be the same.
Overall, your file should look like this.
props.conf
[syslog]
TRANSFORMS-force_sourcetype_for_newapp = force_sourcetype_for_newapp
transforms.conf
[force_sourcetype_for_newapp]
DEST_KEY = MetaData:Sourcetype
REGEX = .
FORMAT = sourcetype::newapp
Have you restarted your Splunk instance after this change?
... View more