Re: Reroute host to different index

troy44112 · ‎09-23-2021

I am trying to figure out how to reroute a specific host to a different index.
For example, search results of host=1234test shows in index=best_life...
How would I change the index of host1234 from best_life to fall into a different index that exist already ie. (index=other_index)..

ashvinpandey · ‎09-23-2021

@troy44112

Use props.conf and transforms.conf for this..

 #props.conf
 [source]
 TRANSFORMS-routing_for_norris_index = route_to_norris_index

 #transforms.conf
 [route_to_norris_index]
 DEST_KEY = _MetaData:Index
 REGEX = chuck
 FORMAT = norris

This will route all events containing chuck into the norris index.

please find the below link for more detailed info:
https://blog.avotrix.com/implement-split-indexing-in-splunk/
Also, If this reply helps you, an upvote would be appreciated.

richgalloway · ‎09-23-2021

Check the inputs.conf files on that host. Change all instances of "index=best_life" to "index=other_index" and restart Splunk on that host.

Data that is already in index=best_life cannot be moved, but you can use the collect command to copy events to another index. This will affect your license usage.

---
If this reply helps you, Karma would be appreciated.

Reroute host to different index

index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation