I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ERROR events .
Is the second scenario feasible, and if so, how?
I have my data flowing from a universal forwarder to an indexer via heavy forwarder.
For Question 1. You can use the Discard Specific events and keep the rest configuration in the Admin manual:
[monitor://path to your file] sourcetype = mysourcetype other props ...
Indexer or Heavy Forwarder
[mysourcetype] TRANSFORMS-newindex = index2debug, index2error
[index2debug] DEST_KEY =_MetaData:Index REGEX = something that matches DEBUG lines FORMAT = debugindex [index2error] DEST_KEY =_MetaData:Index REGEX = something that matches ERROR lines FORMAT = errorindex
Keep in mind you can also override your index name dynamically if you capture the final value in your REGEX and then you use something like "index::$1" in your FORMAT line.
Some official documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Advancedsourcetypeoverrides
Hope that helps.