I am trying to change the sourcetype on the events from a dataset based on certain fields in the dataset that is currently being added using a scripted input. This is what I have currently:
props.conf
[source::testservice]
TRANSFORMS-changesourcetype = sourcetype-test1info, sourcetype-test2info
transforms.conf
[sourcetype-test1info]
DEST_KEY = MetaData:SourceType
REGEX = "field1=(? [^ ])"
FORMAT = sourcetype::test1info
CLEAN_KEYS = 0
MV_ADD = 0
[sourcetype-test2info]
DEST_KEY = MetaData:SourceType
REGEX = "field2=(? [^ ] )"
FORMAT = sourcetype::test2info
CLEAN_KEYS = 0
MV_ADD = 0
The files are currently located in etc/apps/appname/local. I dont see this transformation having any effect. The event would look something like:
2011-06-01 20:41:13 PDT timestamp=1306986073 field1=value1 location=testlocation
Any idea what I may be missing?
... View more