Hi @harsmarvania57,
Thanks for your response. I have a doubt in your answer.
as per your 2nd example, the UF contain inputs.conf like below?
[monitor://var/www/testing.log]
disabled = 0
sourcetype = test
index = ok_index
you said "test sourcetype with word error will write it to error_index"
for the FORMAT key value, you mention error_index
here my doubts are
1.which name I choose for a new index in the indexer
ok index OR error_index?
2.If I have two indexers, How HF will find index without specifying the target-group in the FORMAT?
... View more