The first time an event matches a sourcetype, it will fall into it
And if you tag an event with a given sourcetype in the actual HEC submission, it will always use that sourcetype
If you want something to come in differently, tag it differently in your HEC submission
from User warren – Stack Overflow https://stackoverflow.com/questions/70838954/splunk-hec-sourcetype-override-mapping-all-events-to-a-single-transform/70850397#70850397
via IFTTT