https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319624#M59700 <P>Hi yu94,<BR /> Did you tried to override index on indexers? you said that you want to override index only on a set of indexers, so you can:</P> <UL> <LI>take logs using DB Connect on HF setting index1,</LI> <LI>then on indexers (only the ones of the selected set), use the index override configuration.</LI> </UL> <P>In this way you can ingest logs on HF with the original index and then modify it on the indexers.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 20 Oct 2017 11:41:38 GMT gcusello 2017-10-20T11:41:38Z https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319620#M59696 <P>Hi,</P> <P>There is situation where we have installed DB connect on HF and then the HF sends that data to 2 sets of different indexers and now we need to override the index name at one set of indexers .</P> <P>We have tried to override the index which is coming from UF is working fine.</P> <P>When we tried to override the index which is coming from HF (DB Connect), it was not working may be due to the metadata already set by this HF.</P> <P>Can you help me to fix this issue?</P> <P>Regards,<BR /> Thippesh</P> Fri, 20 Oct 2017 11:03:45 GMT https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319620#M59696 yu94 2017-10-20T11:03:45Z https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319621#M59697 <P>Hi yu94,<BR /> the easiest way is to override the index name in the set of indexers:<BR /> on transforms.conf </P> <PRE><CODE>[overrideindex] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index </CODE></PRE> <P>on props.conf </P> <PRE><CODE>[mysourcetype] TRANSFORMS-index = overrideindex </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 20 Oct 2017 11:12:59 GMT https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319621#M59697 gcusello 2017-10-20T11:12:59Z https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319622#M59698 <P>Hi Giuseppe,</P> <P>We have tried this. This is not working because the data which generates is HF and we tried to override at the indexer, so on the HF it is passed the parsing queue and set the metadata file so will not be able to override at the indexer.</P> <P>Any other ways of doing it?</P> <P>Regards,<BR /> Thippesh</P> Fri, 20 Oct 2017 11:20:24 GMT https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319622#M59698 yu94 2017-10-20T11:20:24Z https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319623#M59699 <P>Since this is a heavy forwarder the data is cooked on this server, therefore the index setting is done here.</P> <P>Is it possible to get both sets of indexers to use the same index for this data?<BR /> If not the transforms.conf might work but you would need to do the transform based on which output was chosen, and I'm unsure how to do that part, also DB Connect can set an index, but it will only set one per input.</P> <P>Perhaps you can change your indexers to have the same index name?</P> Fri, 20 Oct 2017 11:36:30 GMT https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319623#M59699 gjanders 2017-10-20T11:36:30Z https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319624#M59700 <P>Hi yu94,<BR /> Did you tried to override index on indexers? you said that you want to override index only on a set of indexers, so you can:</P> <UL> <LI>take logs using DB Connect on HF setting index1,</LI> <LI>then on indexers (only the ones of the selected set), use the index override configuration.</LI> </UL> <P>In this way you can ingest logs on HF with the original index and then modify it on the indexers.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 20 Oct 2017 11:41:38 GMT https://community.splunk.com/t5/Getting-Data-In/Index-override-on-heavy-forwarder-data/m-p/319624#M59700 gcusello 2017-10-20T11:41:38Z