@somesoni2, since the accepted answer in the "Have forwarder duplicating data to 2 indexes." answer is using the crcSalt command the duplicate log events sent to both indexes will be seen as individual records and count twice against the splunk license. If summery of accelerated search is done to put the data in a tsidx OR summarydb it will not be charged against the license. I get that if this is done at the forwarder or at index time rather than at search time this could potently save CPU cycles or at lease READ IO but overall I don't think you are really saving resources by doing it at index rather than at search time so why use extra licensing to index the same event twice??? -- Sorry just my opinion --( :-] )

See you all at the end of September >DOT CONF IS COMING<>DOT CONF IS COMING<

I absolutely agree. I was about to add the caveat with this approach when some hit me at work.

Apart from the point with @hartfoml, that above approach(s) will cause the double license usage (at least for the duplicate parts) which the summary indexing doesn't, I also want to bring the point that, if you wish to follow the approach above, you'd need to create a new sourcetype (for data to go to index2) with necessary event filter (transforms.conf), as you want to keep all data in index 1.

1. A kinda hidden built-in feature is available for this question. Well, not documented well. But, it works. Yes, you will use more license volume in this approach. (ref: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf )

   CLONE_SOURCETYPE

2. Summary Index is a good approach in general. Search time configuration can be changed, summary index data could be re-indexed.