This is a followup question to the solution on this thread: https://community.splunk.com/t5/Getting-Data-In/create-multiple-sourcetypes-from-single-syslog-source/m-p/701337/highlight/false#M116063 I'm trying to do exactly what the original question asked but I need to apply different DELIM/FIELDS values to the different sourcetypes I create this way. The solution says that once the new sourcetype is created "...just use additional transforms entries with regular expressions that fit the specific subset of data..." does this mean that if I want to further extract fields from the new sourcetype I can only do that using TRANSFORMS from that point forward or would I be able to put a new stanza further down in the props.conf for [my_new_st] and use additional REPORTs or EXTRACTs that only apply to that new sourcetype? For example, can I do something like the following?: Description: first split the individual events based on the value regex-matched on the 5th field then do different field extracts for each of the new sourcetypes.      props.conf: [syslog] TRANSFORMS-create_sourcetype1 = create_sourcetype1 TRANSFORMS-create_sourcetype2 = create_sourcetype2 [sourcetype1] REPORT-extract = custom_delim_sourcetype1 [sourcetype2] REPORT-extract = custom_delim_sourcetype2           transforms.conf: [create_sourcetype1] REGEX = ^(?:[^ \n]* ){5}(my_log_name_1:)\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype1 [create_sourcetype2] REGEX = ^(?:[^ \n]* ){5}(my_log_name_2:)\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype2 [custom_delim_sourcetype1] DELIMS = " " FIELDS = d_month,d_date,d_time,d_source,d_logname,d_info,cs_url,cs_bytes,cs_port [custom_delim_sourcetype2] DELIMS = " " FIELDS = d_month,d_date,d_time,d_source,d_logname,d_info,cs_username,sc_http_status       ... View more