How do you route the same data to multiple indexes...

ankithreddy777 · ‎08-23-2017

I am onboarding a new data source. I need to send all of the data to index 1 and part of data to index 2. Is it possible to implement this using transforms? I know it's possible to send particular data to index 1 and remaining to null queue. Could you please help me regarding this?

DalJeanis · ‎08-23-2017

I believe you are looking for CLONE_SOURCETYPE

https://answers.splunk.com/answers/334586/how-to-index-the-same-set-of-logs-and-route-them-t.html

ankithreddy777 · ‎08-24-2017

Hi DalJeanis,

Are the any examples, how to implement it. unable to determine the data flow . I tried to clone sourcetype on indexers

somesoni2 · ‎08-23-2017

Look at the configuration in the question of following post, minus the setnull configs.

https://answers.splunk.com/answers/565396/can-i-still-send-data-to-nullqueue-while-using-met.html#co...

How do you route the same data to multiple indexes?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation