Hi Everyone,
I'm having a little issue related with props.conf precedence. I want to apply a transforms stanza to set a sourcetype, then another stanza to extract the Metadata:Host field for this sourcetype. I tried this in props.conf :
[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
[juniper-sa-access]
TRANSFORMS-changehost = juniper-sa-access_host
...but it's not working. The first transform sets the sourcetype to juniper-sa-access but the second one never applies.
If I change to that, it's working, but it's not the desired behaviour :
[source::udp:514]
TRANSFORMS-changesourcetype = set_juniper-sa-access
TRANSFORMS-changehost = juniper-sa-access_host
Any clue?
Is it about precedence (source > host > sourcetype)? or is it because the sourcetype is set "too late" for matching the second stanza?
Best Regards,
Alexandre Faraino
... View more