https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493687#M84339 <P>You can use different server classes (with associated different inputs.conf) going to IIS servers of Type A vs Type B</P> <P>Yes, you do need to maintain two (or more) UF apps, but you can get pretty granular on what endpoints show up in what server class</P> Tue, 26 Nov 2019 14:54:39 GMT wmyersas 2019-11-26T14:54:39Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493685#M84337 <P>We got several IIS servers and want to index IIS logs into Splunk. However, we need to seperate some of the servers to a seperate indexer due to different needs for Access controll and retention.</P> <P>Is there a way to get IIS logs from some servers to one index and logs from anorther server to another index?</P> <P>Using universal forwarders. running Splunk 7.2.6 , Windows 2012RS, single instance.</P> Tue, 26 Nov 2019 12:07:26 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493685#M84337 erikwie 2019-11-26T12:07:26Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493686#M84338 <P>HI @erikwie,<BR /> You have to override index value for some events on Indexers not on Universal Forwarders.</P> <P>Following the infos at <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Advancedsourcetypeoverrides">https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Advancedsourcetypeoverrides</A><BR /> in props.conf </P> <PRE><CODE>[host::your_host] TRANSFORMS-index = overrideindex </CODE></PRE> <P>(a stanza for each host or you can use jolly chars)</P> <P>in transforms.conf </P> <PRE><CODE>[overrideindex] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Tue, 26 Nov 2019 12:18:45 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493686#M84338 gcusello 2019-11-26T12:18:45Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493687#M84339 <P>You can use different server classes (with associated different inputs.conf) going to IIS servers of Type A vs Type B</P> <P>Yes, you do need to maintain two (or more) UF apps, but you can get pretty granular on what endpoints show up in what server class</P> Tue, 26 Nov 2019 14:54:39 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493687#M84339 wmyersas 2019-11-26T14:54:39Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493688#M84340 <P>You should not be using separate <CODE>indexers</CODE>, you should be using separate <CODE>index values</CODE> on the same <CODE>indexer</CODE> and using <CODE>roles-based access</CODE> feature to control who gets to use/see what. Hopefully that is what you meant. You can do it the <CODE>hard way</CODE> at the indexers like this:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A><BR /> Or you can do it the <CODE>easy way</CODE> by either:<BR /> 1: creating 2 apps and deploying one with <CODE>index=foo</CODE> to 1 class of servers and the other with <CODE>index=bar</CODE> to the other class.<BR /> 2: using a single app and creating a set of universal <CODE>host-based</CODE> stanzas to the appropriate UFs like this:</P> <PRE><CODE>[host::foo1] index = foo [host::foo2] index = foo [host::foo3] index = foo [host::foo4] index = foo [host::bar1] index = bar [host::bar2] index = bar [host::bar3] index = bar [host::bar4] index = bar </CODE></PRE> Tue, 26 Nov 2019 23:53:04 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493688#M84340 woodcock 2019-11-26T23:53:04Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493689#M84341 <P>OP said "indexes", not "indexers"</P> Wed, 27 Nov 2019 23:05:03 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493689#M84341 wmyersas 2019-11-27T23:05:03Z https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493690#M84342 <P>I think somebody edited and fixed it.</P> Fri, 13 Dec 2019 11:22:08 GMT https://community.splunk.com/t5/Getting-Data-In/Different-IIS-hosts-logging-to-different-indexes/m-p/493690#M84342 woodcock 2019-12-13T11:22:08Z