Splunk_deploy/deployment-apps/Splunk_TA_sbc/local/props.conf

#Sourcetype pour sbc
[sbc]
SHOULD_LINEMERGE=false
KV_MODE = none
EXTRACT-sbc-generic = (?<device_time>\w+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}) (?<reported_hostname>\S+)(-[0-9]+)? .* (?<sequence>\[S=\d*]) (?<ID>\[[S,B]ID=.*]) \s*(?<message_text>.*)
description = Sourcetype pour sbc equipements

[syslog]
TRANSFORMS-sourcetype-sbc = force_sourcetype_for_sbc