topic Re: Redirection to multiple indexes and Null queue not working in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Redirection-to-multiple-indexes-and-Null-queue-not-working/m-p/574805#M101587 <P>What results do you get?</P><P>If there are no other configuration items pertaining to your sources (have you tried btool props list?) I'd say that you redirect all matching sources (do you match properly? Are you sure you shouldn't use "..." instead of "*"?) to nullqueue so the index rewriting is a bit pointless since all events should get discarded in the end.</P> Sat, 13 Nov 2021 10:49:47 GMT PickleRick 2021-11-13T10:49:47Z Redirection to multiple indexes and Null queue not working https://community.splunk.com/t5/Getting-Data-In/Redirection-to-multiple-indexes-and-Null-queue-not-working/m-p/574803#M101586 <P>Hello,&nbsp;</P><P>We are integrating the json logs via HEC into Splunk Heavy Forwarder.<BR />I have tried the below configurations.I am applying the props for the source. In transforms, there are different regexes and I would want to route it to different indexes based on log files and route all the other files not required to a null queue. I would not be able to use FORMAT=indexqueue in transforms.conf as I cannot mention multiple indexes in inputs.conf .This is not working and I am not getting results as expected. Kindly help.</P><P>The configs are like below:</P><P><U><STRONG>PROPS.CONF --</STRONG></U></P><P>[source::*model-app*]<BR />TRANSFORMS-segment=setnull,security_logs,application_logs,provisioning_logs</P><P><STRONG><U>TRANSFORMS.CONF --</U></STRONG></P><P>[setnull]<BR />REGEX=class\"\:\"(.*?)\"<BR />DEST_KEY = queue<BR />FORMAT = nullQueue</P><P>[security_logs]<BR />REGEX=(class\"\:\"(/var/log/cron|/var/log/audit/audit.log|/var/log/messages|/var/log/secure)\")<BR />DEST_KEY=_MetaData:Index<BR />FORMAT=model_sec<BR />WRITE_META=true<BR />LOOKAHEAD=40000</P><P>[application_logs]<BR />REGEX=(class\"\:\"(/var/log/application.log|/var/log/local*?.log)\")<BR />DEST_KEY=_MetaData:Index<BR />FORMAT=model_app<BR />WRITE_META=true<BR />LOOKAHEAD=40000</P><P>[provisioning_logs]<BR />REGEX=class\"\:\"(/opt/provgw-error_msg.log|/opt/provgw-bulkrequest.log|/opt/provgw/provgw-spml_command.log.*?)\"<BR />DEST_KEY=_MetaData:Index<BR />FORMAT=model_prov<BR />WRITE_META=true</P> Sat, 13 Nov 2021 09:29:03 GMT https://community.splunk.com/t5/Getting-Data-In/Redirection-to-multiple-indexes-and-Null-queue-not-working/m-p/574803#M101586 bhargavi 2021-11-13T09:29:03Z Re: Redirection to multiple indexes and Null queue not working https://community.splunk.com/t5/Getting-Data-In/Redirection-to-multiple-indexes-and-Null-queue-not-working/m-p/574805#M101587 <P>What results do you get?</P><P>If there are no other configuration items pertaining to your sources (have you tried btool props list?) I'd say that you redirect all matching sources (do you match properly? Are you sure you shouldn't use "..." instead of "*"?) to nullqueue so the index rewriting is a bit pointless since all events should get discarded in the end.</P> Sat, 13 Nov 2021 10:49:47 GMT https://community.splunk.com/t5/Getting-Data-In/Redirection-to-multiple-indexes-and-Null-queue-not-working/m-p/574805#M101587 PickleRick 2021-11-13T10:49:47Z