Thank both of you for your suggested solutions! @adonio Good idea, thank you, I will test this with eval in the props.conf! @jarizeloyola Thanks! I am using ingest_eval for another source which timestamp can only be found in the filename, and it works great! However, I see splunkd timestamp errors for that source, so I have to check if inges_eval works in a way there will still have timestamp issues generated even if OK, or if it is something else! ... View more

Doing this transform on the Indexer tier would be AFTER the monitor has collected the data. If the path to the correct log is wrong in the monitor, i don't see how that could work. I need to set the monitor line of the inputs.conf with some intelligence, to only get the last 4 digits of the host, then use that value in the monitor line. Or are you saying to include the props.conf and transforms.conf with the app I push to the forwarder? My understanding is that the props/transforms portion comes in AFTER the monitor of the inputs.conf... that is too late for what I'm trying to do. ... View more