I see, thanks for the info. Moving forward, I'm trying to separate the specific syslog messages from the rest (via assigning a new sourcetype). However, it appears that setting sourcetype at index time via TRANSFORMS does not select rules in props based on the new sourcetype at index time, and it only affects search time. (See post below).
Is there any way this can be done?
... View more