https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422079#M94185 <P>hi everyone,</P> <P>I have web server events.<BR /> I want to forward specific events that contain digits 404 to index1 and remaining event to index2.<BR /> below is an example event: <BR /> 12.130.60.4 - - [13/Jan/2016 21:03:09:149] "GET /category.screen?category_id=GIFTS&amp;JSESSIONID=SD9SL6FF8ADFF9 HTTP 1.1" <STRONG>404</STRONG> 3585 "<A href="http://www.myflowershop.com/category.screen?category_id=GIFTS" target="_blank">http://www.myflowershop.com/category.screen?category_id=GIFTS</A>" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 976</P> <P>Please advise.</P> Tue, 29 Sep 2020 21:00:01 GMT riqbal 2020-09-29T21:00:01Z https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422079#M94185 <P>hi everyone,</P> <P>I have web server events.<BR /> I want to forward specific events that contain digits 404 to index1 and remaining event to index2.<BR /> below is an example event: <BR /> 12.130.60.4 - - [13/Jan/2016 21:03:09:149] "GET /category.screen?category_id=GIFTS&amp;JSESSIONID=SD9SL6FF8ADFF9 HTTP 1.1" <STRONG>404</STRONG> 3585 "<A href="http://www.myflowershop.com/category.screen?category_id=GIFTS" target="_blank">http://www.myflowershop.com/category.screen?category_id=GIFTS</A>" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 976</P> <P>Please advise.</P> Tue, 29 Sep 2020 21:00:01 GMT https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422079#M94185 riqbal 2020-09-29T21:00:01Z https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422080#M94186 <P>Try this:</P> <P>In props.conf:</P> <PRE><CODE>[mysourcetype] TRANSFORMS-setIndex = setindex1, setindex2 </CODE></PRE> <P>In transforms.conf:</P> <PRE><CODE>[setindex1] DEST_KEY = _MetaData:Index REGEX = 404 FORMAT = index1 [setindex2] DEST_KEY = _MetaData:Index REGEX = . FORMAT = index2 </CODE></PRE> Sun, 26 Aug 2018 12:58:06 GMT https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422080#M94186 richgalloway 2018-08-26T12:58:06Z https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422081#M94187 <P>hi<BR /> thanks for your kind support. yesterday I achieved that. below is my working config.</P> <P>inputs.conf<BR /> [monitor:///splunkfiles/lxxx/access_combined.log]<BR /> sourcetype = access_combined<BR /> <STRONG>index = webindex</STRONG> </P> <P>props.conf<BR /> [access_combined]<BR /> TRANSFORMS-local = notfound</P> <P>Transforms.conf</P> <P>[notfound]<BR /> <STRONG>REGEX = "\s(404)\s</STRONG><BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = notfoundindex</P> <P>Initially, I used your approach. but it did not work with me.</P> <P>can you please explain line 8 in transforms.conf.</P> <P><STRONG>lastly, we task is to move the events to corresponding indexes before getting indexed(save license). Is this method correct?</STRONG></P> Tue, 29 Sep 2020 21:03:44 GMT https://community.splunk.com/t5/Getting-Data-In/forward-events-to-multiple-indexers/m-p/422081#M94187 riqbal 2020-09-29T21:03:44Z