While attempting to clone (and mask) events that belong to select source patterns,. the CLONE_SOURCETYPE doesn't honor the REGEX. The goal is to restrict cloning to those events that have dev or tst in their source. So prod or perf or uat etc wouldn't get cloned. it seems that the no matter what the REGEX in the clone stanza in transforms, the events gets cloned. The temporary solution was to run a nullQueue for those non-dev and non-tst sources. What am I doing wrong here? Any thoughts/suggestions? Note -The test file doesn't have any source defined. The only place I supply a source is using the rename-source argument as below # Code fragment How I run this using oneshot - splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_dev_cnf" -index mask -sourcetype sfdc:orig -host dev_01 [WORKS- clones should be created. Works as expected] splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_prod_cnf" -index mask -sourcetype sfdc:orig -host dev_02 [DOESN'T WORK - clones shouldn't be created, but they are] props..conf [sfdc:orig] TRANSFORMS-sfdc-orig = sfdc_cloner [sfdc:clone] EVAL-mn = "foo" transforms.conf # sources are one of the following - sfdc_object://User_splunk_dev_cnf sfdc_object://User_splunk_tst_cnf sfdc_object://User_splunk_prod_cnf ... [sfdc_cloner] #Only clone those where sources don't have _prod_ REGEX = ^(?=.*(dev|tst)).* # Tried this as well - no bueno #REGEX = (sfdc_object:.*(dev|tst)_cnf.*) SOURCE_KEY = MetaData:Source FORMAT = $0 DEST_KEY = _raw CLONE_SOURCETYPE = sfdc:clone
... View more