This does not work anymore. I'm not sure if it would have ever worked, but according to the documentation sourcetype=something only works when applied to a source. A transforms.conf file is needed. The example given in another reply almost works, it was missing the "sourcetype::" on the FORMAT line. [syslog] TRANSFORMS-set_sourcetype = set_sourcetype transforms.conf [set_sourcetype] FORMAT = sourcetype::new_sourcetype REGEX = myserver SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Sourcetype
... View more