Hello everyone. I'm trying to set host and sourcetype values with event data. The result is that, the sourcetype is overridden as expected, while the host value is NOT. By applying the following tranforms.conf and props.conf, I expect that The sourcetype is overridden from default:log to mysp(which works as expected). Then, for events with sourcetype mysp, override the host value with my event data using regex extraction(which didn't work). It's making me confused. Wondering why it didn't work out for host field. Hopefully someone would kindly help me out here. Thanks. transforms.conf [sourcetype_transform] SOURCE_KEY = _raw REGEX = <my_regex> DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::mysp [host_transform] REGEX = <my_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host props.conf [default:log] TRANSFORMS-force_sourcetype = sourcetype_transform [mysp] TRANSFORMS-force_host = host_transform
... View more
