Clone an event based on a indexed field

Getting Data In

Hi all,

We have a source which comes in via HEC into an index.

The sourcetyping currently is dynamic.
We then route data based on a indexed label the data to a specific index.

Here comes the catch.

If we have another indexed field called label we want to clone that event into a new index and sourcetype

props.conf

[(?::){0}kube:container:*] 
TRANSFORMS-route_by_domain_label = route_by_domain_label

transforms.conf

We route the data based on a label which is custom named k8s_label for the example here

and for sensitive data we also have a label called : label_sensitive

[route_index_by_label_domain]
SOURCE_KEY = field:k8s_label
REGEX = index_domain_(\w+)
FORMAT = indexname_$1
DEST_KEY = _MetaData:Index

[clone_when_sensitive]
SOURCE_KEY = field:label_sensitive
REGEX = true
DEST_KEY = _MetaData:Sourcetype
#CLONE_SOURCETYPE = sensitive_events
FORMAT = sourcetype::sensitive_events

Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub Hello Splunk Community! Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Are you a member of the Splunk Community?