I have got a Splunk instance running as an HEC in Docker. I want to implement sourcetype override on a per-event basis. For that, I've added the props.conf and transforms.conf files under the $SPLUNK_HOME/etc/system/local directory.
Definitions for the files are as follows
props.conf is shown below
[source::*testing-token*]
ANNOTATE_PUNCT=false
TRANSFORMS-test_transform=test_transform_first,test_transform_second,test_transform_default
transforms.conf is shown below
[test_transform_first]
REGEX=\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:\d{3}\]\s\[.*
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::mytestcustom:myservicelogs
[test_transform_second]
REGEX=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s.*
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::mytestcustom:accesscombined
[test_transform_default]
REGEX=.
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::mytestcustom:defaultevent
When I'm sending a raw event, the HEC maps it to the sourcetype of test_transform_default even though the event is a perfect match for either test_transform_first or test_transform_second transform.
Below is a screenshot for the same
To ensure that the regex is compliant on Splunk, I ran the below search query and got the expected result
index=testindex | regex "\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:\d{3}\]\s\[.*"
The result is as below
The point worth noting is that the default transform is specified as the last transform in the props.conf
What's the possible cause of the issue?
The first time an event matches a
sourcetype, it will fall into itAnd if you tag an event with a given
sourcetypein the actual HEC submission, it will always use thatsourcetypeIf you want something to come in differently, tag it differently in your HEC submission