I've tried everything and it seems I still can't get my stanzas in props.conf and transforms.conf to overwride sourcetype/source/host.
Props.conf: (in etc/apps/clientname/local/)
[source::/path/to/files/...]
TRANSFORMS-set_sourcetype_for_files = set_sourcetype_for_files
priority = 10
Transforms.conf: (in etc/apps/clientname/local/)
[set_sourcetype_for_files]
SOURCE_KEY = Metadata:Source
DEST_KEY = MetaData:Sourcetype
REGEX = .*/(.*).log
FORMAT = sourcetype::$1
Why is this sourcetype change not sticking?
Be sure to check your capitalization, as it is case sensitive and DIFFERENT between different lines in transforms.conf!
Here is the equivalent setup that actually worked, note the capitalization differences between SOURCE_KEY/DEST_KEY and FORMAT lines:
props.conf
[source::/path/to/files/...]
TRANSFORMS-set_sourcetype_for_files = set_sourcetype_for_files
priority = 10
transforms.conf
[set_sourcetype_for_files]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
REGEX = .*/(.*).log
FORMAT = sourcetype::$1
Be sure to check your capitalization, as it is case sensitive and DIFFERENT between different lines in transforms.conf!
Here is the equivalent setup that actually worked, note the capitalization differences between SOURCE_KEY/DEST_KEY and FORMAT lines:
props.conf
[source::/path/to/files/...]
TRANSFORMS-set_sourcetype_for_files = set_sourcetype_for_files
priority = 10
transforms.conf
[set_sourcetype_for_files]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
REGEX = .*/(.*).log
FORMAT = sourcetype::$1
And Sourcetype vs sourcetype.
Just to clarify, it's MetaData
vs Metadata
.