@PickleRick , it's a small system (mostly for dev work): everything on 1 Wintel Splunk Server; not distributed/clustered. A couple of remote machines that use a UF. ... View more

For the record, remote UF inputs.conf:   [monitor://C:\pathname\xyz.log] sourcetype = XYZ index = xyz disabled = 0   and Splunk Server props.conf:   [source::...\\xyz.log] sourcetype = XYZ   doesn't do it; the data from remote UF gets the right sourcetype, but still gets indexed into main not xyz. (The local xyz.log data coming from the Splunk Server directory gets the right sourcetype and goes into index xyz) Something on the Splunk Server is over-riding the explicit index specification on the remote UF? Going to try the other recommendation for props.conf and transforms.conf ... View more

@gcusello , that looks like a setup for local files. (I have that set up via Splunk's "Data inputs" --> "Files & directories") It does not seem to work for remote files coming in via the Splunk Universal Forwarder. They may have different drive letters and pathnames, but the same filename (xyz.log). ... View more