I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ERROR events .
Is the second scenario feasible, and if so, how?
I have my data flowing from a universal forwarder to an indexer via heavy forwarder.
Question 2
Universal Forwarder
inputs.conf
[monitor://path to your file]
sourcetype = mysourcetype
other props ...
Indexer or Heavy Forwarder
props.conf
[mysourcetype]
TRANSFORMS-newindex = index2debug, index2error
transforms.conf
[index2debug]
DEST_KEY =_MetaData:Index
REGEX = something that matches DEBUG lines
FORMAT = debugindex
[index2error]
DEST_KEY =_MetaData:Index
REGEX = something that matches ERROR lines
FORMAT = errorindex
Keep in mind you can also override your index name dynamically if you capture the final value in your REGEX and then you use something like "index::$1" in your FORMAT line.
Some official documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Advancedsourcetypeoverrides
Hope that helps.
Question 2
Universal Forwarder
inputs.conf
[monitor://path to your file]
sourcetype = mysourcetype
other props ...
Indexer or Heavy Forwarder
props.conf
[mysourcetype]
TRANSFORMS-newindex = index2debug, index2error
transforms.conf
[index2debug]
DEST_KEY =_MetaData:Index
REGEX = something that matches DEBUG lines
FORMAT = debugindex
[index2error]
DEST_KEY =_MetaData:Index
REGEX = something that matches ERROR lines
FORMAT = errorindex
Keep in mind you can also override your index name dynamically if you capture the final value in your REGEX and then you use something like "index::$1" in your FORMAT line.
Some official documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Advancedsourcetypeoverrides
Hope that helps.
For Question 1. You can use the Discard Specific events and keep the rest configuration in the Admin manual:
this is feasible and i completely understand it