Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do i clone one sourcetype multiple times?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
Currently i copy a sourcetypes with TRANSFORMS-CLONE and it works, example below.
But i want to use TRANSFORMS-CLONE multiple times from the original props.conf is that possible?
Current Situation
Forwarder
[monitor:///net/hp737srv/hp737srv1/apps/TEST/JAVA_11_TEST_FILES/FULL_LOGS_NO2/logs.../*]
sourcetype = G1
crcSalt = <SOURCE>
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
However I now have to make more TRANSFORMS-CLONE work from more then 1 (This does not work)
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA2
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA3
Or if i tried the other way in the to clone in the transforms.conf multiple times (it does not work either)
And use multiple CLONE_SOURCETYPE_JAVA in the transforms.conf, it only pick one of them not the second one.
transforms.conf
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA]
CLONE_SOURCETYPE = GC11
REGEX = .
It does work if i push one to another and then again to another...but this creates a long string. JAVA->GC11->sun_jvm
I want it to come in a sourcetype X. Then copy X to A,B,C and not have a long string
Thanks in Advance for any help
Rob 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11
transforms.conf
[CLONE_SOURCETYPE_JAVA_sun_jvm]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA_gc11]
CLONE_SOURCETYPE = GC11
REGEX = .
Although I'm not sure I understand why you want to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[G1]
TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA_sun_jvm,CLONE_SOURCETYPE_JAVA_gc11
transforms.conf
[CLONE_SOURCETYPE_JAVA_sun_jvm]
CLONE_SOURCETYPE = sun_jvm
REGEX = .
[CLONE_SOURCETYPE_JAVA_gc11]
CLONE_SOURCETYPE = GC11
REGEX = .
Although I'm not sure I understand why you want to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect, can you change to a an answer and i will accept it please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need this as the files that come in *.gc.log can be many different garabage collection ways, JAVA 8,9,11 J1 etc.... So i have to take them in and use REGEX to decide what is what.
thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
