OK, I've solved it. I made a mistake. Instead of FORMAT = sourcetype::<your_custom_sourcetype_value> I wrote FORMAT = <your_custom_sourcetype_value> (I forgot about sourcetype:: ). It was hard to spot because Splunk was correctly overwriting sourcetype field in search results.
... View more