https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396426#M70654 <P>The problem is that the "discardAll" changes the queue for all messages, so all messages are dropped. Changing the index for the messages you want to keep doesn't change the queue back from null queue.</P> <P>So you need 2 additional transforms (or combine the 2 regexes to do it in one):</P> <PRE><CODE>[queue_one] REGEX=(First_Filter) DEST_KEY=queue FORMAT=indexQueue [queue_two] REGEX=(Second_Variant) DEST_KEY=queue FORMAT=indexQueue </CODE></PRE> <P>And then of course update your props.conf:</P> <PRE><CODE>[Custom_S] TRANSFORMS-set = discardAll,queue_one,queue_two,index2one,index2two </CODE></PRE> Mon, 25 Feb 2019 08:32:46 GMT FrankVl 2019-02-25T08:32:46Z https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396425#M70653 <P>Hello experts,</P> <P>Need help. My requirement is to extract 1st set of lines into 1st index and 2nd set into 2nd index. And ignore all other lines from a log file.</P> <P>Below is my configuration which is obviously failing. </P> <P>I have seen other blogs' solution - successfully able to separate events into two indexes without using [discardAll] from transforms.conf and unspecified index in inputs.conf. But it will redirect all my ignored lines into main idx which I don't want.</P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor://D:\splunk_test\target.log]<BR /> disabled = false<BR /> sourcetype = Custom_S<BR /> index = target_index_one<BR /> interval = 10<BR /> crcSalt = </P> <P><STRONG>props.conf</STRONG><BR /> [Custom_S]<BR /> TRANSFORMS-set = discardAll,index2one,index2two</P> <P><STRONG>transforms.conf</STRONG><BR /> [discardAll]<BR /> REGEX=.<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>[index2one] <BR /> REGEX=(First_Filter)<BR /> DEST_KEY=_MetaData:Index<BR /> FORMAT=target_index_one</P> <P>[index2two] <BR /> REGEX=(Second_Variant)<BR /> DEST_KEY=_MetaData:Index<BR /> FORMAT=target_index_two</P> Tue, 29 Sep 2020 23:20:53 GMT https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396425#M70653 nareshinsvu 2020-09-29T23:20:53Z https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396426#M70654 <P>The problem is that the "discardAll" changes the queue for all messages, so all messages are dropped. Changing the index for the messages you want to keep doesn't change the queue back from null queue.</P> <P>So you need 2 additional transforms (or combine the 2 regexes to do it in one):</P> <PRE><CODE>[queue_one] REGEX=(First_Filter) DEST_KEY=queue FORMAT=indexQueue [queue_two] REGEX=(Second_Variant) DEST_KEY=queue FORMAT=indexQueue </CODE></PRE> <P>And then of course update your props.conf:</P> <PRE><CODE>[Custom_S] TRANSFORMS-set = discardAll,queue_one,queue_two,index2one,index2two </CODE></PRE> Mon, 25 Feb 2019 08:32:46 GMT https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396426#M70654 FrankVl 2019-02-25T08:32:46Z https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396427#M70655 <P>Just Awesome. I should have asked this before scratching my head for half a day and trying multiple options with transforms.conf and eventually failing.</P> <P>Thanks Frank</P> Mon, 25 Feb 2019 23:55:08 GMT https://community.splunk.com/t5/Getting-Data-In/Heavyforwarder-transforms-conf-split-data-into-multiple-indexes/m-p/396427#M70655 nareshinsvu 2019-02-25T23:55:08Z