Clone an event based on a indexed field

Getting Data In

Hi all,

We have a source which comes in via HEC into an index.

The sourcetyping currently is dynamic.
We then route data based on a indexed label the data to a specific index.

Here comes the catch.

If we have another indexed field called label we want to clone that event into a new index and sourcetype

props.conf

[(?::){0}kube:container:*] 
TRANSFORMS-route_by_domain_label = route_by_domain_label

transforms.conf

We route the data based on a label which is custom named k8s_label for the example here

and for sensitive data we also have a label called : label_sensitive

[route_index_by_label_domain]
SOURCE_KEY = field:k8s_label
REGEX = index_domain_(\w+)
FORMAT = indexname_$1
DEST_KEY = _MetaData:Index

[clone_when_sensitive]
SOURCE_KEY = field:label_sensitive
REGEX = true
DEST_KEY = _MetaData:Sourcetype
#CLONE_SOURCETYPE = sensitive_events
FORMAT = sourcetype::sensitive_events

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...