https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-different-index/m-p/646646#M109970 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149978">@sarit_s</a>,</P><P>at first the rules to have different indexes are two:</P><UL><LI>different retention times,</LI><LI>different access grants.</LI></UL><P>In your case I suppose that debug logs have a lower retention than the others.</P><P>Anyway, you can address logs to an index in inputs.conf, indicating the destination index in each stanza.</P><P>Otherwise, you can override the index value following the instructions that you can find in many answers.</P><P>In few words:</P><P>you have at first to identify the sourcetype and a regex to select the events to send in a different index, then you have to put</P><P>in props.conf</P><LI-CODE lang="markup">[your_sourcetype] TRANSFORMS-index = overrideindex</LI-CODE><P>and on transforms.conf</P><LI-CODE lang="markup">[overrideindex] DEST_KEY =_MetaData:Index REGEX = &lt;your_regex&gt; FORMAT = your_new_index</LI-CODE><P>Rememeber that these two conf files must be in the first full Splunk instance you have (not Universal Forwarder), in other words in the first Heavy Forwarder (if present) or on Indexers.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 12 Jun 2023 12:13:21 GMT gcusello 2023-06-12T12:13:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-different-index/m-p/646644#M109969 <P>Hello</P> <P>I have some kind of data that I want to filter to different index and in the future i would like to stop this index entirely.</P> <P>The data I want to filter is&nbsp;</P> <P>1. all the logs with debug mode</P> <P>2. logs that contains&nbsp; Categories!="" OR Categories!=$* OR Categories!="* *"&nbsp;</P> <P>How it can be done ?</P> <P>Thanks</P> Mon, 12 Jun 2023 13:27:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-different-index/m-p/646644#M109969 sarit_s 2023-06-12T13:27:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-different-index/m-p/646646#M109970 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149978">@sarit_s</a>,</P><P>at first the rules to have different indexes are two:</P><UL><LI>different retention times,</LI><LI>different access grants.</LI></UL><P>In your case I suppose that debug logs have a lower retention than the others.</P><P>Anyway, you can address logs to an index in inputs.conf, indicating the destination index in each stanza.</P><P>Otherwise, you can override the index value following the instructions that you can find in many answers.</P><P>In few words:</P><P>you have at first to identify the sourcetype and a regex to select the events to send in a different index, then you have to put</P><P>in props.conf</P><LI-CODE lang="markup">[your_sourcetype] TRANSFORMS-index = overrideindex</LI-CODE><P>and on transforms.conf</P><LI-CODE lang="markup">[overrideindex] DEST_KEY =_MetaData:Index REGEX = &lt;your_regex&gt; FORMAT = your_new_index</LI-CODE><P>Rememeber that these two conf files must be in the first full Splunk instance you have (not Universal Forwarder), in other words in the first Heavy Forwarder (if present) or on Indexers.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 12 Jun 2023 12:13:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-different-index/m-p/646646#M109970 gcusello 2023-06-12T12:13:21Z