It's the first of the force transforms tried against fgt_log. So even though the event has type="utm", it matches later in the event due to data in the url field. So the result would be that this event would be sourcetype=fgt_traffic. Now, as the remaining force transforms continue to be applied, it would probably then match the force_utm one later and then get set to that. 🙂 But it would probably be better to get it set correctly once.
One approach might be to combine your 3 force stanzas into one. So look to do this:
The (*COMMIT) is a way of saying, "It you get this far in the match, but fail later, don't backtrack past this".
So the regex above is saying, "Going from the start of the line ( ^ ), look for any character 1 or more times (lazily). When you find devid=, then we know we're in the right place. If our F(?:G|W|6K) doesn't match, then don't go back and try to find it anywhere else. Once we got to devid= we were committed - there's no going back now..."
Basically, it's a handy way to stop the regex being tried later in the event. But I'm not regex guru, so do some testing and see how it works. It just proved useful for us in our environment.
The main one is really to see if you need to fix-up the alternation in the character class and possibly combine the stanzas in a future TA release.