How to send same data source to two or multiple in...

arunsunny · ‎09-01-2017

Consider I have to monitor below log file and send to two or multiple indexes at the same time. ( NOTE: Not indexers groups)

[monitor://D:\test\test1.log]
sourcetype = test
index = online and offline

How can we achieve this?

woodcock · ‎09-02-2017

Another option to avoid double-license hit is to schedule a saved search to use the collect command to copy all the events from the original index into a summary index.

gcusello · ‎09-01-2017

Hi arunsunny,
I don't know why do you want to send the same logs to different indexes, but remember that in this way you have a double (or more) license consumption!
Anyway if you want to do this, the only way is to create symbolic links ( http://docs.splunk.com/Documentation/Splunk/6.6.3/admin/Inputsconf ) and index both original file and symbolic link.
Bye.
Giuseppe

arunsunny · ‎09-01-2017

Hi Cusello,

Could you please provide me an example for the above-mentioned scenario to achieve using a symbolic link.

Regards,
Arun

woodcock · ‎09-02-2017

Like this:

[monitor://D:\test\test1.log]
sourcetype = test
index = online

[monitor://D:\linktotest\test1.log]
sourcetype = test
index = offline

The create s symbolic link from linktotest to test:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363878(v=vs.85).aspx

arunsunny · ‎09-04-2017

Thank you, Woodcock !!

How to send same data source to two or multiple indexes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation