How to specify different indexes for storing data of different source(sourcetype)? The data is coming from remote forwarders.
Define an index-time transform on the indexer and have it apply to the appropriate events.
For example:
props.conf:
[myfavoritesourcetype]
TRANSFORMS-index=sendtomyindex
transforms.conf:
[sendtomyindex]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=myindex
WRITE_META=true
Define an index-time transform on the indexer and have it apply to the appropriate events.
For example:
props.conf:
[myfavoritesourcetype]
TRANSFORMS-index=sendtomyindex
transforms.conf:
[sendtomyindex]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=myindex
WRITE_META=true
See martin's answer for more info on that.
Thank you, I'll try it. By the way, how to get it right from the start on the forwarders as you refered above.
By specifying a different index inside each monitor stanza in inputs.conf, see http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf#Configuration_settings and http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf for reference.
martin_mueller's solution may not be suitable for my requirement. Then, how to use transforms on the indexer or config the forwarders, Ayn?
...on the remote forwarders that is.
If you can't affect how things are setup on these forwarders, you can also rewrite which index events are stored in by using transforms on the indexer. But really, the best thing is to get it right from the start on the forwarders instead.