Hi @isoutamo Thanks for your reply. While I understand that diagram and believe that its correct as a baseline, it leaves me more confused. Take the popular Palo Alto TA, that you can get from Splunkbase. It's whole basis is based on splitting a singular sourcetype into many others. For example, an input is using pan:firewall as the sourcetype. The official docs say to use pan:firewall [pan:firewall] category = Network & Security description = Syslog from Palo Alto Networks Next-generation Firewall pulldown_type = true SHOULD_LINEMERGE = false TIME_PREFIX = ^(?:[^,]*,){6} MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption If we look at pan_threat it gets renamed to pan:threat within the TA, and then includes a TIME_FORMAT. [pan_threat] rename = pan:threat [pan:threat] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true KV_MODE = none TIME_PREFIX = ^(?:[^,]*,){6} MAX_TIMESTAMP_LOOKAHEAD = 32 TIME_FORMAT = %Y/%m/%d %H:%M:%S This suggests, that when the data comes in as [pan:firewall] it makes its way down to the typingQueue, applies the TRANSFORMS, in our case, we are focusing on [pan_threat], then applies all the configuration in the [pan:threat] stanza, including the TIME_FORMAT which is at the aggQueue, but that would be revisiting the queues again. How is this TA doing it, but I can't?
... View more