The transforms to set sourcetypes has a bug.
The regex uses a capture group that is not used in the format statment.
When this is the case splunk does not return a match on the regex.
To get this to work it is neccessary to change the regex to a non-capturing group
e.g. for:
[auditdclasses2]
REGEX = type\=(ANOM_|USER_AVC|AVC|CRYPTO_REPLAY_USER|RESP)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::linux:audit:ocsf:finding
must be change to
REGEX = type\=(?:ANOM_|USER_AVC|AVC|CRYPTO_REPLAY_USER|RESP)
Then it works.
The same for the other auditdclasses1 - 6.