Hello.

I really hope someone on here will be able to help me out. Long story short: I am having some difficulties renaming an index on some cooked data that is hitting my indexer with transforms.conf and props.conf. I am trying to rename it from bottles to newindex.

On the indexer, I have the following:

$SPLUNK_HOME/etc/system/local/transforms.conf:

[changeindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = newindex

$SPLUNK_HOME/etc/system/local/props.conf:

[host::splunk-uf]
TRANSFORMS-index = changeindex

(For what it is worth) $SPLUNK_HOME/etc/system/local/inputs.conf:

[default]
host = splunk-indexer

[splunktcp:9997]
connection_host=none
index = newindex
compressed=true
listenOnIPv6=no

The error Splunk Web on the indexer is giving me when I send logs:

Received event for unconfigured/disabled/deleted index=bottles with source="source::/var/log/messages" host="host::splunk-uf" sourcetype="sourcetype::syslog". So far received events from 1 missing index(es). 

I have been sure to restart Splunk!

Any help would be great appreciated. Thanks!

EDIT: Some more info:

Basically, I need to be able to send data from a Universal Forwarder (UF), via a Heavy Forwarder (HWF) to two indexers. The data needs to be indexed under different indexes on each indexer. I have UF that forwards data to a HWF. The HWF forwarder does some transforms on the data to anonymize some components of it. It then forwards data to Indexer1 and Indexer2 using TCP ROUTING. I have been asked to send data to the bottles index on Indexer1 and to newindex on Indexer2. I have no control over Indexer1 hence why I have set the index to be bottles on the UF and need the HWF to do the anonymizing of data as I don't have control over Indexer1. Thus, I am trying to transform the data hitting Indexer2 to change the index name to newindex.