I have configured props.conf and transforms.conf on a Heavy Forwarder in order to split an existing sourcetype into sub categories. I have utilized what appears to be the general convention for naming layers in sourcetypes ie: a:b:c:d.

Now, the sourcetype I am splitting is a:b which are generating a:b:c and a:b:c:d. Everything is working fine and I am getting the data into the indexes and the formatting is perfect. What is bothering me is that in order to search for the a:b:c and a:b:c:d source I have to use a trailing wilcard. As a:b:c and a:b:c:d each contain quite a bit of data I would like to look at either or.

Its in no way a show-stopper but I would just like to check if I have missed something with regards to the config or if this is just the way it is.

props.conf

[a:b]
TRANSFORMS-changeSourceType = set:a:b:c, set:a:b:c:d
BREAK_ONLY_BEFORE = (%)|(VOIP_CALL_STATISTICS)

transforms.conf

[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = a:b:c

[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = a:b:c:d

Edit:

After some further investigations it gets even stranger where I have to include a search word in order for data to displayed in addition to the trailing wildcard:

index=something sourcetype=a:b:c:d* gives no results. index=something sourcetype=a:b:c:d* foo gives results containing foo.

I forgot to mention I am running version 6.5.0.