It is sometimes convenient to override the main metadata fields. We will look at one possible reason for overriding each base metadata value.
Remember that transforms are applied after parsing, so changing metadata fields via transforms cannot be used to affect which props.conf stanzas are applied for date parsing or line breaking.
For instance, with syslog events that contain the hostname, you cannot change the time zone, because the date has already been parsed before the transforms are applied. The keys provided by Splunk include:
- _raw (this is the default value for SOURCE_KEY)
- MetaData:Source
- MetaData:Sourcetype
- MetaData:Host
- _MetaData:Index