I was having the same issues, the solution above wasnt working for me so I read a lot of documentation to understand how overriding of source types on a per-event basis works. According to the Getting Data In 8.0.2007 manual at the chapter 'Override source types on a per-event basis', the syntax should be as: [<unique_stanza_name>] REGEX = <your_regex> FORMAT = sourcetype::<your_custom_sourcetype_value> DEST_KEY = MetaData:Sourcetype One of my experiments was that I didnt change the expressions, I only swapped the order of the last two: [pfsense_sourcetyper] # The REGEX setting specifies the regular expression that points to a # field in the event that you want to extract # timestamp wo year, host, application and 1 single extraction by the # second group (no '?' so marked active): application wo the ':' # Sep 13 23:59:59 xxx.yyy.edu filterlog: REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+) # # The FORMAT setting specifies the name of the new sourcetype # $1 here refers to the second group, but first extraction above # example: sourcetype::pfsense:dhcp FORMAT = sourcetype::pfsense:$1 # # write the value from FORMAT to the source type of the event # MetaData:Sourcetype : The source type of the event, # the value must be prefixed by "sourcetype::" DEST_KEY = MetaData:Sourcetype After that, I got 14 different sourcetypes instead of just 3: pfsense:filterlog 80,220 97.568% pfsense:dhcpd 729 0.887% pfsense 614 0.747% pfsense:unbound 263 0.32% pfsense:filterdns 144 0.175% pfsense:openvpn 96 0.117% pfsense:gw1 54 0.066% pfsense:check_reload_status 48 0.058% pfsense:dpinger 12 0.014% pfsense:php 12 0.014% I also found that my dhcp reported less than the EXTRACT for it: < EXTRACT-ipv4_dhcp = dhcpd:\s(?<vendor_action>DHCPACK|DHCPREQUEST) (?:on|for) (?<dest_ip>\S+) (?:from|to) (?<src_mac>\S+) via (?<src_interface>\S+) --- > EXTRACT-ipv4_dhcp = (?<vendor_action>DHCPACK|DHCPREQUEST) (?:on|for) (?<dest_ip>\S+) (?:from|to) (?<src_mac>\S+) \(.*\) via (?<src_interface>\S+) kind regards, hansb
... View more