I want to change the sourcetype for all incoming logs with sourcetypes not starting with abc. I have following setting but it would change it for all the sourcetypes
#Transforms.conf on indexer
[noncerner:setnull]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?::){0}^(?!ABC).*
#REGEX = ^(?!ABC).* tried it
#REGEX = sourcetype::^(?!ABC).* tried it
#REGEX = sourcetype::(?::)^(?!ABC).* tried it
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ABC:temp:logs
Any hep is appreciated.
↧