Splunk_deploy/deployment-apps/Splunk_TA_Aviat/local/transforms.conf

#Transform pour FH aviat
[force_sourcetype_for_aviat]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aviat
REGEX = (?<device_time>\w+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}) (?<reported_ip>\S+) (?<user>[^\[]+)\[(?<pid>\d+)\] (?<message_text>.+)