You should use the sourcetype field for this when you set up your REST stanzas.
Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.
[rest]
index=main
[rest://foo]
sourcetype=abc
...
[rest://goo]
sourcetype=def
...
Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.
Loads of examples in rest_ta/bin/responsehandlers.py for this pre-processing approach using python code
Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.
... View more