Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to send data to different index?

sarit_s
Communicator
‎06-12-2023 05:04 AM

Hello

I have some kind of data that I want to filter to different index and in the future i would like to stop this index entirely.

The data I want to filter is 

1. all the logs with debug mode

2. logs that contains  Categories!="" OR Categories!=$* OR Categories!="* *" 

How it can be done ?

Thanks

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-12-2023 05:13 AM

Hi @sarit_s,

at first the rules to have different indexes are two:

  • different retention times,
  • different access grants.

In your case I suppose that debug logs have a lower retention than the others.

Anyway, you can address logs to an index in inputs.conf, indicating the destination index in each stanza.

Otherwise, you can override the index value following the instructions that you can find in many answers.

In few words:

you have at first to identify the sourcetype and a regex to select the events to send in a different index, then you have to put

in props.conf

[your_sourcetype]
TRANSFORMS-index = overrideindex

and on transforms.conf

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = <your_regex>
FORMAT = your_new_index

Rememeber that these two conf files must be in the first full Splunk instance you have (not Universal Forwarder), in other words in the first Heavy Forwarder (if present) or on Indexers.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...