https://community.splunk.com/t5/Getting-Data-In/CLONE-SOURCETYPE-not-honoring-REGEX/m-p/530678#M89310 <P>While attempting to clone (and mask) events that belong to select source patterns,. the CLONE_SOURCETYPE doesn't honor the REGEX. The goal is to restrict cloning to those events that have dev or tst in their source.&nbsp; So prod or perf or uat etc wouldn't get cloned.&nbsp;</P><P>it seems that the no matter what the REGEX in the clone stanza in transforms, the events gets cloned.&nbsp;</P><P>The temporary solution was to run a nullQueue for those non-dev and non-tst sources.</P><P>What am I doing wrong here?&nbsp; Any thoughts/suggestions? <STRONG>Note</STRONG> -The test file doesn't have any source defined. The only place I supply a source is using the rename-source argument as below</P><P>&nbsp;</P><P># Code fragment&nbsp;</P><P>How I run this using oneshot -</P><P>splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_<STRONG>dev</STRONG>_cnf" -index mask&nbsp; -sourcetype sfdc:orig -host dev_01 [<STRONG>WORKS- clones should be created. Works as expected</STRONG>]</P><P>splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_<STRONG>prod</STRONG>_cnf" -index mask&nbsp; -sourcetype sfdc:orig -host dev_02&nbsp; [<STRONG>DOESN'T WORK - clones shouldn't be created, but they are</STRONG>]</P><P><STRONG>props..conf</STRONG></P><P>[sfdc:orig]<BR />TRANSFORMS-sfdc-orig = sfdc_cloner</P><P>[sfdc:clone]<BR />EVAL-mn = "foo"</P><P><STRONG>transforms.conf</STRONG></P><P># sources are one of the following -&nbsp; sfdc_object://User_splunk_dev_cnf sfdc_object://User_splunk_tst_cnf&nbsp; &nbsp; &nbsp; sfdc_object://User_splunk_prod_cnf ...</P><P>[sfdc_cloner]<BR />#Only clone those where sources don't have _prod_&nbsp;<BR />REGEX = ^(?=.*(dev|tst)).*<BR /># Tried this as well - no bueno<BR />#REGEX = (sfdc_object:.*(dev|tst)_cnf.*)</P><P>SOURCE_KEY = MetaData:Source<BR />FORMAT = $0<BR />DEST_KEY = _raw<BR />CLONE_SOURCETYPE = sfdc:clone</P> Tue, 24 Nov 2020 20:25:47 GMT manojnair 2020-11-24T20:25:47Z https://community.splunk.com/t5/Getting-Data-In/CLONE-SOURCETYPE-not-honoring-REGEX/m-p/530678#M89310 <P>While attempting to clone (and mask) events that belong to select source patterns,. the CLONE_SOURCETYPE doesn't honor the REGEX. The goal is to restrict cloning to those events that have dev or tst in their source.&nbsp; So prod or perf or uat etc wouldn't get cloned.&nbsp;</P><P>it seems that the no matter what the REGEX in the clone stanza in transforms, the events gets cloned.&nbsp;</P><P>The temporary solution was to run a nullQueue for those non-dev and non-tst sources.</P><P>What am I doing wrong here?&nbsp; Any thoughts/suggestions? <STRONG>Note</STRONG> -The test file doesn't have any source defined. The only place I supply a source is using the rename-source argument as below</P><P>&nbsp;</P><P># Code fragment&nbsp;</P><P>How I run this using oneshot -</P><P>splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_<STRONG>dev</STRONG>_cnf" -index mask&nbsp; -sourcetype sfdc:orig -host dev_01 [<STRONG>WORKS- clones should be created. Works as expected</STRONG>]</P><P>splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_<STRONG>prod</STRONG>_cnf" -index mask&nbsp; -sourcetype sfdc:orig -host dev_02&nbsp; [<STRONG>DOESN'T WORK - clones shouldn't be created, but they are</STRONG>]</P><P><STRONG>props..conf</STRONG></P><P>[sfdc:orig]<BR />TRANSFORMS-sfdc-orig = sfdc_cloner</P><P>[sfdc:clone]<BR />EVAL-mn = "foo"</P><P><STRONG>transforms.conf</STRONG></P><P># sources are one of the following -&nbsp; sfdc_object://User_splunk_dev_cnf sfdc_object://User_splunk_tst_cnf&nbsp; &nbsp; &nbsp; sfdc_object://User_splunk_prod_cnf ...</P><P>[sfdc_cloner]<BR />#Only clone those where sources don't have _prod_&nbsp;<BR />REGEX = ^(?=.*(dev|tst)).*<BR /># Tried this as well - no bueno<BR />#REGEX = (sfdc_object:.*(dev|tst)_cnf.*)</P><P>SOURCE_KEY = MetaData:Source<BR />FORMAT = $0<BR />DEST_KEY = _raw<BR />CLONE_SOURCETYPE = sfdc:clone</P> Tue, 24 Nov 2020 20:25:47 GMT https://community.splunk.com/t5/Getting-Data-In/CLONE-SOURCETYPE-not-honoring-REGEX/m-p/530678#M89310 manojnair 2020-11-24T20:25:47Z