It is not uncommon to change the sourcetype field of an event based on the contents of the event, particularly from syslog. In our fictitious example, we want a different source type for events that contain [MBX] after the log level so that we can apply different extracts to these events. The following examples will do this work:
[mbx_sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = d+s[A-Z]+s([MBX]) FORMAT = sourcetype::mbx
Use this functionality carefully as it easy to go conceptually wrong, and this is difficult to fix later.