I am looking to replace a sourcetype using props.conf / transforms.conf so far with no luck. props.conf [original_sourcetype] NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false TIME_PREFIX = oldtimeprefix TIME_FORMAT=oldtimeformat pulldown_type = 1 TRANSFORMS-set_new=set_new_sourcetype [new_sourcetype_with_new_timeformat] NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false TIME_PREFIX=newtimeprefix TIME_FORMAT=newtimeformat pulldown_type = 1 #rename=original_sourcetype transforms.conf [set_new_sourcetype] SOURCE_KEY = MetaData:Source REGEX = ^source::var/log/path/tofile.log FORMAT = sourcetype::new_sourcetype_with_new_timeformat DEST_KEY = MetaData:Sourcetype tried different REGEX's, including  REGEX = var/log/path/tofile.log   Also tried setting it like this in props.conf [source::var/log/path/tofile.log] TRANSFORMS-set_new=set_new_sourcetype   I am also looking at inputs.conf, which has monitoring stanzas for all syslog traffic, perhaps some blacklisting/ whitelisting based on source can be done there. But I am curious as to what is not working with my props/transforms. Thanks       ... View more