{"id":50474,"date":"2022-01-25T14:32:30","date_gmt":"2022-01-25T14:32:30","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=50474"},"modified":"2022-01-25T14:32:30","modified_gmt":"2022-01-25T14:32:30","slug":"answer-by-warren-for-splunk-hec-sourcetype-override-mapping-all-events-to-a-single-transform","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=50474","title":{"rendered":"Answer by warren for Splunk HEC sourcetype override mapping all events to a single transform"},"content":{"rendered":"<p>The <em>first<\/em> time an event matches a <code>sourcetype<\/code>, it will fall into it<\/p>\n<p>And if you <em>tag<\/em> an event with a given <code>sourcetype<\/code> in the actual HEC submission, it will <em>always<\/em> use that <code>sourcetype<\/code><\/p>\n<p>If you want something to come in differently, tag it differently in your HEC submission<\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/70838954\/splunk-hec-sourcetype-override-mapping-all-events-to-a-single-transform\/70850397#70850397<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The first time an event matches a sourcetype, it will fall into it And if you tag an event with a given sourcetype in the actual HEC submission, it will always use that sourcetype If you want something to come in differently, tag it differently in your HEC submission from User warren &#8211; Stack Overflow &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=50474\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Splunk HEC sourcetype override mapping all events to a single transform<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-50474","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/50474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50474"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/50474\/revisions"}],"predecessor-version":[{"id":50475,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/50474\/revisions\/50475"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50474"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=50474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}