Hello,

I would need a confirmation of my CLONE_SOURCETYPE configuration.
I have the following requirements:

sourcetype 1: ISP_hanatraces
Here I would like all the events containing the strings:
csns.admin.AdminConnection
csns.admin.commands
alter system alter configuration
to be cloned to the new index mlbso_changelog and the source type ISP_parameterChangelog.

sourcetype 2: ISP_executed_statements
Here I would like to copy all the events completely to the new index mlbso_changelog and the source type ISP_DMLchangelog.

My configuration for that would be:

props.conf

[ISP_hanatraces]
TRANSFORMS-ISP_parameterChangelog_clone

[ISP_executed_statements]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:\r?\n){2,})
TRANSFORMS-ISP_executed_statements_clone

transforms.conf

[ISP_parameterChangelog_clone]
 CLONE_SOURCETYPE = ISP_parameterChangelog
 REGEX            = .*(?i)(csns\.admin\.AdminConnection|csns\.admin\.commands|alter system alter configuration)(?-i).*
 FORMAT           = mlbso_changelog
 DEST_KEY         = _MetaData:index

[ISP_executed_statements_clone]
 CLONE_SOURCETYPE = ISP_DMLchangelog
 FORMAT           = mlbso_changelog
 DEST_KEY         = _MetaData:index

Does the above make sense?
Also, the original sourcetypes have some sensitive data being hashed in the props.conf using SEDCMD later in the file. However I would like to clone the data still before hashing. Would the cloning and transform rules be applied in the order how they appear in the props.conf? Then it would be fine for me as the cloning entries above would come first.

Kind regards,
Kamil