Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how can I keep the original meta when cloning the event.

sudha_krish
Explorer
‎07-15-2025 11:37 AM

I'm cloning the event and before cloning  extracting sourcetype to use later.

transforms.conf

[copy_original_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = orig_sourcetype::$1
WRITE_META = true

[clone_for_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = ^test_np$
DEST_KEY = MetaData:Sourcetype
CLONE_SOURCETYPE = data_to_thirdparty
WRITE_META = true

[sourcetype_raw_updated]
SOURCE_KEY=MetaData:orig_sourcetype
REGEX=^orig_sourcetype::(.*)$
FORMAT = $1##$0
DEST_KEY=_raw

But when I try to retrieve extracted original value  I'm getting nothing. Is there any way to persist original sourcetype ?

@PickleRick @isoutamo @gcusello 

Labels (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-15-2025 01:55 PM
What is in your props.conf?
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-15-2025 12:20 PM

Hey @sudha_krish 

Please avoid calling out specific users on here - it wont help get your question answered.

Please could you also share your props.conf config?

I dont think this is correct:

SOURCE_KEY=MetaData:orig_sourcetype

Can you try:

[copy_original_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = orig_sourcetype::$1
WRITE_META = true

[clone_for_thirdparty]
SOURCE_KEY = MetaData:Index
REGEX = ^test_np$
DEST_KEY = MetaData:Sourcetype
CLONE_SOURCETYPE = data_to_thirdparty
WRITE_META = true

[sourcetype_raw_updated]
INGEST_EVAL = _raw=_raw." orig_sourcetype=".orig_sourcetype

Do you want orig_sourcetype adding to the raw text value?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

sudha_krish
Explorer
‎07-15-2025 10:05 PM

Here is my props and transforms

props.conf
[default]
TRANSFORMS-save_original_sourcetype = save_original_sourcetype
TRANSFORMS-clone_for_thirdparty = clone_for_thirdparty

[data_to_thirdparty]
SHOULD_LINEMERGE = true
TRANSFORMS-updateFields = sourcetype_raw_updated
TRANSFORMS-route_thirdparty = route_thirdparty


transforms.conf
# 1. Save original sourcetype as a field (for use in the clone)
[save_original_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = orig_sourcetype::$1
WRITE_META = true

# 2. Clone only events from vme_ops_prod to sourcetype=data_to_thirdparty
[clone_for_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = ^test_np$
DEST_KEY = MetaData:Sourcetype
CLONE_SOURCETYPE = data_to_thirdparty
WRITE_META = true

# 3. Meta-data transforms for the clone
[sourcetype_raw_updated]
SOURCE_KEY=MetaData:orig_sourcetype
REGEX=^orig_sourcetype::(.*)$
FORMAT = $1##$0
DEST_KEY=_raw

# 4. Route the cloned event ONLY to thirdparty
[route_thirdparty]
SOURCE_KEY = _MetaData:Index
REGEX = (^test_np.*)
DEST_KEY = _TCP_ROUTING
FORMAT = dev_thirdparty

 

I'm sending logs (no cooked data) to thirdpartyserver over TCP without disturbing existing flow. so I just cloned the event and adding original sourcetype to the cloned event and sending to thirdparty output group.

now the issue here is I can't find the original source type.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-16-2025 12:26 AM

Transform classes are called in alphabetical order. And please don't call out specific people for help. That's rude.

Reply

sudha_krish
Explorer
‎07-15-2025 11:39 AM

I just want to add the orig_sourcetype to the cloned event with original sourcetype value.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...