When using a directory monitor input, specific source types can be selectively overridden using the
props.conf file. According to the Splunk documentation1, “You can specify a source type for data
based on its input and source. Specify source type for an input. You can assign the source type for
data coming from a specific input, such as /var/log/. If you use Splunk Cloud Platform, use Splunk
Web to define source types. If you use Splunk Enterprise, define source types in Splunk Web or by
editing the inputs.conf configuration file.” However, this method is not very granular and assigns the
same source type to all data from an input. To override the source type on a per-event basis, you
need to use the props.conf file and the transforms.conf file2. The props.conf file contains settings
that determine how the Splunk platform processes incoming data, such as how to segment events,
extract fields, and assign source types2. The transforms.conf file contains settings that modify or
filter event data during indexing or search time2. You can use these files to create rules that match
specific patterns in the event data and assign different source types accordingly2. For example, you
can create a rule that assigns a source type of apache_error to any event that contains the word
“error” in the first line2.
