https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61122#M12137 <P>Please see <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A> for a general explanation.</P> Thu, 30 Sep 2010 10:41:11 GMT gkanapathy 2010-09-30T10:41:11Z https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61120#M12135 <P>Before I ask my question, this is my environment.</P> <P>1 forwarder</P> <P>4 indexers</P> <P>1 search head</P> <P>I am trying to setup several indexes (based on source types).</P> <P>I have created indexes on each of the indexers (ct_usertransaction), and setup rules according to the documentation. </P> <PRE><CODE>props.conf (on forwarder) [ct-UserTransaction] TRANSFORMS-index = ct-UserTransaction [ct-UserTransaction] DEST_KEY = MetaData:Index REGEX = (ct-UserTransaction:) FORMAT = ct_usertransaction </CODE></PRE> <P>But I don't see anything in ct_usertransaction index.</P> <P>Where do I need to configure the rules, on a forwarder or indexers?</P> Thu, 30 Sep 2010 09:11:05 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61120#M12135 ultra 2010-09-30T09:11:05Z https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61121#M12136 <P>You need to set this configuration on the indexer for lightweight forwarders and on the forwarder for heavyweight forwarders.</P> Thu, 30 Sep 2010 09:39:01 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61121#M12136 Stephen_Sorkin 2010-09-30T09:39:01Z https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61122#M12137 <P>Please see <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A> for a general explanation.</P> Thu, 30 Sep 2010 10:41:11 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61122#M12137 gkanapathy 2010-09-30T10:41:11Z https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61123#M12138 <P>Thank you very much for this. It is a helpful link.</P> <P>But it raises another question. <BR /> How do I route specific events from a heavy weight forwarder to a specific index on a remote indexer?</P> Fri, 01 Oct 2010 01:33:56 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-indexes-in-distrubuted-splunk-environment/m-p/61123#M12138 ultra 2010-10-01T01:33:56Z