Solved: Re: How can I override an index name based on sour...

rphillips_splk · ‎06-18-2015

I want to override the index name of my events (assigned at the forwarder) with a new index name based on sourcetype.

rphillips_splk · ‎06-18-2015

This can be done at the heavy forwarder or indexer:

On your indexer or heavy forwarder:

# etc/system/local/transforms.conf 
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index


#etc/system/local/props.conf 
[mysourcetype]
TRANSFORMS-index = overrideindex

View solution in original post

rphillips_splk · ‎06-18-2015

This can be done at the heavy forwarder or indexer:

On your indexer or heavy forwarder:

# etc/system/local/transforms.conf 
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index


#etc/system/local/props.conf 
[mysourcetype]
TRANSFORMS-index = overrideindex

rphillips_splk · ‎06-18-2015

you must have the index already configured on the indexers in indexes.conf before sending events to the new index.

shan_santosh · ‎12-07-2016

Can I do this based on specific host name, if yes, how?

MuS · ‎03-17-2019

Greetings from the future ...

Yes, you can specify a host name to be used in props.conf see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#GLOBAL_SETTINGS

cheers, MuS

How can I override an index name based on sourcetype?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...