I'm trying to get data that I'm indexing at one location to be replicated to another Splunk Indexer at a remote site ONLY during a daily time window (1AM to 3AM).
I've thought of a few options but most of them would involve unwanted side effects such as:
Restarting one of my instances (eg. freezing/ copying/ thawting the buckets);
Not ensuring there are no gaps in the data (eg. forwarder instance being kicked in by a script);
Doubling my license expenditure.
Messing up my data format (eg. Summary Indexing + outputs.conf)
I'm thinking about developing something that would make use of the REST API (not sure about the license implications of that) but maybe someone has already devised a more practical way?
