Before I ask my question, this is my environment.
1 forwarder
4 indexers
1 search head
I am trying to setup several indexes (based on source types).
I have created indexes on each of the indexers (ct_usertransaction), and setup rules according to the documentation.
props.conf (on forwarder)
[ct-UserTransaction]
TRANSFORMS-index = ct-UserTransaction
[ct-UserTransaction]
DEST_KEY = MetaData:Index
REGEX = (ct-UserTransaction:)
FORMAT = ct_usertransaction
But I don't see anything in ct_usertransaction index.
Where do I need to configure the rules, on a forwarder or indexers?
Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for a general explanation.
Thank you very much for this. It is a helpful link.
But it raises another question.
How do I route specific events from a heavy weight forwarder to a specific index on a remote indexer?
You need to set this configuration on the indexer for lightweight forwarders and on the forwarder for heavyweight forwarders.