https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243324#M47154 <P>Thank you. It worked.<BR /> In case I would like to classify each index with a different sourcetype. How can I do that?</P> <P>Thanks,<BR /> Lp</P> Wed, 24 Aug 2016 12:18:58 GMT lpolo 2016-08-24T12:18:58Z https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243322#M47152 <P>I have a TCP:514 input working without any problem but indexing in a single index. <BR /> I have not found a way to index events as follow:</P> <P>Event A should be indexed in index=A<BR /> _time host="a.com" Type="A" ....... Any Key Value Pair</P> <P>Event B should be indexed in index=B<BR /> _time host="a.com" Type="B" ....... Any Key Value Pair</P> <P>How can I do that?</P> <P>Thanks,<BR /> Lp</P> Tue, 23 Aug 2016 18:14:51 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243322#M47152 lpolo 2016-08-23T18:14:51Z https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243323#M47153 <P>The Splunk Add-on for Cisco ASA (<A href="https://splunkbase.splunk.com/app/1620/">https://splunkbase.splunk.com/app/1620/</A>) does something similar with sourcetypes. Using that add-on as an example, your props.conf should look something like this:</P> <PRE><CODE>[source::tcp:514] TRANSFORMS-force_indexes = force_index_A,force_index_B </CODE></PRE> <P>Your transforms.conf should look something like this:</P> <PRE><CODE>[force_index_A] DEST_KEY = _MetaData:Index REGEX = Type="A" FORMAT = A [force_index_B] DEST_KEY = _MetaData:Index REGEX = Type="B" FORMAT = B </CODE></PRE> Tue, 23 Aug 2016 20:15:54 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243323#M47153 jconger 2016-08-23T20:15:54Z https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243324#M47154 <P>Thank you. It worked.<BR /> In case I would like to classify each index with a different sourcetype. How can I do that?</P> <P>Thanks,<BR /> Lp</P> Wed, 24 Aug 2016 12:18:58 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243324#M47154 lpolo 2016-08-24T12:18:58Z https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243325#M47155 <P>If you want to do index and sourcetype, your props.conf should look like this:</P> <PRE><CODE>[source::tcp:514] TRANSFORMS-force_indexes = force_index_A,force_index_B,force_sourcetype_A,force_sourcetype_B </CODE></PRE> <P>And your transforms.conf file should look like this:</P> <PRE><CODE>[force_index_A] DEST_KEY = _MetaData:Index REGEX = Type="A" FORMAT = A [force_index_B] DEST_KEY = _MetaData:Index REGEX = Type="B" FORMAT = B [force_sourcetype_A] DEST_KEY = MetaData:Sourcetype REGEX = Type="A" FORMAT = sourcetype::sourcetype_A [force_sourcetype_B] DEST_KEY = MetaData:Sourcetype REGEX = Type="B" FORMAT = sourcetype::sourcetype_B </CODE></PRE> Wed, 24 Aug 2016 15:42:42 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243325#M47155 jconger 2016-08-24T15:42:42Z https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243326#M47156 <P>Thanks for the example. </P> Wed, 24 Aug 2016 16:55:19 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-514-Input-gt-Multiple-Indexex-and-Source-Type/m-p/243326#M47156 lpolo 2016-08-24T16:55:19Z