Clone an event based on a indexed field

Getting Data In

Hi all,

We have a source which comes in via HEC into an index.

The sourcetyping currently is dynamic.
We then route data based on a indexed label the data to a specific index.

Here comes the catch.

If we have another indexed field called label we want to clone that event into a new index and sourcetype

props.conf

[(?::){0}kube:container:*] 
TRANSFORMS-route_by_domain_label = route_by_domain_label

transforms.conf

We route the data based on a label which is custom named k8s_label for the example here

and for sensitive data we also have a label called : label_sensitive

[route_index_by_label_domain]
SOURCE_KEY = field:k8s_label
REGEX = index_domain_(\w+)
FORMAT = indexname_$1
DEST_KEY = _MetaData:Index

[clone_when_sensitive]
SOURCE_KEY = field:label_sensitive
REGEX = true
DEST_KEY = _MetaData:Sourcetype
#CLONE_SOURCETYPE = sensitive_events
FORMAT = sourcetype::sensitive_events

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide Staying ahead in the fast-paced ...