https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459670#M94332 <P>Yes, I want to forward events with different value to a different indexes.</P> Wed, 25 Jul 2018 14:23:27 GMT myordanov95 2018-07-25T14:23:27Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459666#M94328 <P>Is it possible to forward messages to different indexes based on the value of message field ?<BR /> And which forwarder is the most appropriate (Universal or Heavy) ? </P> Wed, 25 Jul 2018 10:43:34 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459666#M94328 myordanov95 2018-07-25T10:43:34Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459667#M94329 <P>Yes. Using <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE>, you can achieve this. Please provide some sample data to perform regex matching. Otherwise, below is the basic structure of configuration settings for routing events. </P> <P>Props.conf:</P> <PRE><CODE>[your_custom_sourcetype] TRANSFORMS-routing = routing_based_on_field_values </CODE></PRE> <P>Transforms.conf:</P> <PRE><CODE>[routing_based_on_field_values] REGEX = &lt;your_custom_regex&gt; DEST_KEY = _MetaData:Index FORMAT = &lt;alternate_index_name&gt; </CODE></PRE> <P>You can find more information in below links, let me know if this helps.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index">http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index</A></P> <P><A href="https://answers.splunk.com/answers/566448/route-specific-events-to-a-relative-index.html">https://answers.splunk.com/answers/566448/route-specific-events-to-a-relative-index.html</A></P> Wed, 25 Jul 2018 13:44:32 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459667#M94329 sudosplunk 2018-07-25T13:44:32Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459668#M94330 <P>In case of having a thousands of different values , I want to create thousands of indexes. Does it mean I have to declared thousands of stanzas. </P> Wed, 25 Jul 2018 14:07:23 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459668#M94330 myordanov95 2018-07-25T14:07:23Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459669#M94331 <P>Oh, you want to route each event with different value to a different index? I thought, you want to look for specific value in the raw events and route all the events which have this specific value to different index(s). </P> Wed, 25 Jul 2018 14:14:17 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459669#M94331 sudosplunk 2018-07-25T14:14:17Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459670#M94332 <P>Yes, I want to forward events with different value to a different indexes.</P> Wed, 25 Jul 2018 14:23:27 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459670#M94332 myordanov95 2018-07-25T14:23:27Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459671#M94333 <P>Can you provide some sample events with values which you want to route.</P> Wed, 25 Jul 2018 14:34:10 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459671#M94333 sudosplunk 2018-07-25T14:34:10Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459672#M94334 <P>{"name":"value1"},<BR /> {"name":"value2"},<BR /> ....<BR /> {"name":"value1000"}</P> <P>In this case, I want to forward events to 1000 indexes.</P> Wed, 25 Jul 2018 14:37:38 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459672#M94334 myordanov95 2018-07-25T14:37:38Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459673#M94335 <P>Are all these events coming from 1 source/host? Also, why do you want to forward <STRONG>each</STRONG> event to <STRONG>each</STRONG> index. </P> Wed, 25 Jul 2018 14:46:08 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459673#M94335 sudosplunk 2018-07-25T14:46:08Z https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459674#M94336 <P>Sorry, I am looking for solution of this problem.</P> Wed, 25 Jul 2018 14:54:06 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-messages-to-different-indexes-based-on-the-value-of-its/m-p/459674#M94336 myordanov95 2018-07-25T14:54:06Z