×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kmccarthy
New Member
Member since: ‎08-16-2012
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-16-2012
Activity Feed
View All

How to write one events to multiple indexes

by in Splunk Search
‎12-10-2012 11:00 AM
‎12-10-2012 11:00 AM
I have many many events and they are all useful but there is a subset that is most important. I want to keep all events in the primary index and then for efficiency (dashboards and searches) create a separate index with just the important events. (I use summary indexes for top level charts which works great but when I drill down from the chart retrieving the events is very slow - which is why I want to create the intermediary index with just the important events). I've been trying variations of props.conf and transforms.conf to write the important events to a second indes. props.conf [source::/var/log/ftauditevents] TRANSFORMS-index = ImportantEvents transforms.conf [ImportantEvents] REGEX = DEST_KEY = _MetaData:Index FORMAT = important_index The problem is that the important events are not written to the primary index - and I still want the primary index to contain all events for other purposes. Any suggestion? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM