I am sending paloalto logs to a syslog server which then sets the index to "pan_logs" and the sourcetype to "pan_log" and forwards them onto our indexer/search head. I am able to see the logs on the indexer with the source type of pan_log and the index of "pan_logs" but not able to see the new sourcetypes. it appears like the transforms to change the sourcetypes to there respected values are not changing. looking for help.
↧