https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312408#M58559 <P>Another option to avoid double-license hit is to schedule a saved search to use the <CODE>collect</CODE> command to copy all the events from the original index into a <CODE>summary index</CODE>.</P> Sat, 02 Sep 2017 18:29:29 GMT woodcock 2017-09-02T18:29:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312404#M58555 <P>Consider I have to monitor below log file and send to two or multiple indexes at the same time. ( NOTE: Not indexers groups)</P> <P>[monitor://D:\test\test1.log]<BR /> sourcetype = test<BR /> index = online and offline</P> <P>How can we achieve this?</P> Fri, 01 Sep 2017 14:47:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312404#M58555 arunsunny 2017-09-01T14:47:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312405#M58556 <P>Hi arunsunny,<BR /> I don't know why do you want to send the same logs to different indexes, but remember that in this way you have a double (or more) license consumption!<BR /> Anyway if you want to do this, the only way is to create symbolic links ( <A href="http://docs.splunk.com/Documentation/Splunk/6.6.3/admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/6.6.3/admin/Inputsconf</A> ) and index both original file and symbolic link.<BR /> Bye.<BR /> Giuseppe</P> Fri, 01 Sep 2017 14:58:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312405#M58556 gcusello 2017-09-01T14:58:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312406#M58557 <P>Hi Cusello,</P> <P>Could you please provide me an example for the above-mentioned scenario to achieve using a symbolic link.</P> <P>Regards,<BR /> Arun</P> Fri, 01 Sep 2017 15:25:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312406#M58557 arunsunny 2017-09-01T15:25:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312407#M58558 <P>Like this:</P> <PRE><CODE>[monitor://D:\test\test1.log] sourcetype = test index = online [monitor://D:\linktotest\test1.log] sourcetype = test index = offline </CODE></PRE> <P>The create s symbolic link from <CODE>linktotest</CODE> to <CODE>test</CODE>:<BR /> <A href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363878(v=vs.85).aspx">https://msdn.microsoft.com/en-us/library/windows/desktop/aa363878(v=vs.85).aspx</A></P> Sat, 02 Sep 2017 18:27:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312407#M58558 woodcock 2017-09-02T18:27:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312408#M58559 <P>Another option to avoid double-license hit is to schedule a saved search to use the <CODE>collect</CODE> command to copy all the events from the original index into a <CODE>summary index</CODE>.</P> Sat, 02 Sep 2017 18:29:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312408#M58559 woodcock 2017-09-02T18:29:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312409#M58560 <P>Thank you, Woodcock !!</P> Mon, 04 Sep 2017 12:44:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-same-data-source-to-two-or-multiple-indexes/m-p/312409#M58560 arunsunny 2017-09-04T12:44:48Z