Creating Sourcetype form event data not data

Getting Data In

I am sending open telemetry Log data to Splunk.

I am sending 3 different types of logs to one index and to one source type (For the moment)

Is it possible to receive this data into Splunk and then create 3 different types of Sourcetypes, based on the event data, not the data?

 splunk_hec/logs: # pushed to splunk
    token: "ac3fa6bf-f9df-4757-a5e5-9ee7bf23160d"
    endpoint: "https://dell425srv:9088/services/collector"
    source: "mx"
    sourcetype: "otel"
    index: "murex_logs"
    tls:
      insecure_skip_verify: true

In the below image we can see the event data is called log.type.

There can be three of them. I need to make 3 source types from these 3.

Normally I would use a transform, but I think I can only use that on the data, not the event data?

Any help would be great

Thanks in advance

Robbie

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...