hello everyone, I want to change sourcetype and index in incoming events. In 514UDP I have many different type of logs (cisco, Fortigate, Fortiweb, ....) How could I change Sourcetype and Index on Heavy Forwarder :(this is my try but it does not work) : Props: [source::udp:514] TRANSFORMS-1sourcetype = fortigateevent TRANSFORMS-2index_routeing = fortigateeventindex Transforms: [fortigateevent] REGEX = devname= .* DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::fgt_log [fortigateeventindex] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = fortinet
... View more