I am thinking of merging a variety of sources being monitored by a Universal Forwarder into a single `sourcetype` for indexing (and later searching) purposes. The sources each have specific pre-processing that needs to be done, and then a bunch of common processing that I can assign to the `sourcetype` .
Suppose I have a `[source::]` stanza that specifies a number of `TRANSFORMS` clauses and a `sourcetype = ` clause, and also a `[]` stanza with its own `TRANSFORMS` clauses. Will the source have both sets of `TRANSFORMS` applied? Or will the first set be ignored because the `sourcetype` clause "overrides" it?
If I have a `force_local_processing = true` clause in the `sourcetype` stanza, will the Universal Forwarder also process the search-time `REPORT` and `EXTRACT` clauses? The `FIELDALIAS`, `EVAL`, `LOOKUP` clauses? I suspect no on both counts.
I know `SEDCMD` clauses are applied at index-time, but are they applied before `TRANSFORMS`? Is the order in which they appear in a stanza significant?
↧