Hello Guys,
I have Splunk instance which is receiving data from different instances like DEV, QA, UAT and PROD. For then we have separate index like DEV_app, QA_app, UAT_app and PROD_app and they are sharing same sourcetype i.e. app.
Now the issue is, I need to filter events coming in two indexes i.e. Need to seperate debug logs, and as they are sharing same sourcetype so i can't apply filter based on it, as DEV_app filter data need to do to, DEV_debug, QA_app to QA_debug like this.
Any one has some solution to it?