https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547865#M91144 <P><STRONG>SOLVED:&nbsp;</STRONG>in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.</P><P>So my inputs.conf is like this:</P><LI-CODE lang="markup">[WinEventLog://Security] index=a sourcetype=WinEventLog source=WinEventLog:Security _TCP_ROUTING=group a, group b</LI-CODE><P>&nbsp;</P> Wed, 14 Apr 2021 10:24:25 GMT biagiodipalma 2021-04-14T10:24:25Z https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547766#M91137 <P>hi there,</P><P>I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[WinEventLog://Security] index=a _TCP_ROUTING=indexer1, indexer2</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.</P><P>So I need to change my index on indexers or on heavy forwarders. How can I do this?<BR /><BR />##########<BR />I've tried this on indexer:<BR /><STRONG>props.conf</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[source::WinEventLog:Security] TRANSFORMS-indexing1 = idx_change</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>transforms.conf</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[idx_change] SOURCE_KEY=_raw REGEX=. DEST_KEY=_Metadata:Index FORMAT=b</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Apr 2021 10:25:15 GMT https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547766#M91137 biagiodipalma 2021-04-14T10:25:15Z https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547776#M91138 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230869">@biagiodipalma</a>&nbsp;</P><P>Can you share the outputs.conf configuration?</P><P>I need that configuration to understand the forwarder routing</P> Tue, 13 Apr 2021 17:47:19 GMT https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547776#M91138 aasabatini 2021-04-13T17:47:19Z https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547788#M91139 <P>On tre Forwarder the outputs.conf is like this:</P><P>[tcpout:groupA]<BR />server=indexer1:9997</P><P>[tcpout:groupB]<BR />server=indexer2a:9997, indexer2b:9997</P><P>&nbsp;</P><P>above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster&nbsp;</P> Tue, 13 Apr 2021 20:47:46 GMT https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547788#M91139 biagiodipalma 2021-04-13T20:47:46Z https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547865#M91144 <P><STRONG>SOLVED:&nbsp;</STRONG>in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.</P><P>So my inputs.conf is like this:</P><LI-CODE lang="markup">[WinEventLog://Security] index=a sourcetype=WinEventLog source=WinEventLog:Security _TCP_ROUTING=group a, group b</LI-CODE><P>&nbsp;</P> Wed, 14 Apr 2021 10:24:25 GMT https://community.splunk.com/t5/Getting-Data-In/Solved-Same-log-different-indexers-and-index/m-p/547865#M91144 biagiodipalma 2021-04-14T10:24:25Z