My logs look like this:
Jan 10 14:54:13 host 14:54:13,001801006057,TRAFFIC,end,1,2014/01/10 14:54:12,1.1.1.1,2.2.2.2,0.0.0.0,0.0.0.0,Permit Into DMZ,,,ping,vsys1,Inside,ANS Test,ae1.1,ae1.2,syslog.domain.com,2014/01/10 14:54:12,240135,1,0,0,0,0,0x4000,icmp,allow,204,102,102,2,2014/01/10 14:54:06,0,any,0,6350272,0x0,United States,10.0.0.0-10.255.255.255,0,1,1
transforms.conf for 'traffic', located in
\etc\apps\SplunkforPaloAltoNetworks\local
[pan_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = ([^,]+,[^,]+,TRAFFIC,)
FORMAT = sourcetype::pan_traffic
still no sourcetype getting changed.
... View more