I've got 4 splunk instances running, with 3 light forwarders sending application logs to my main 'server' instance (i've configured this via forwarding in the management console of my server instance)
It's working great, but I need some way to group or separate the incoming data into different buckets of logs.
For example, I'd like to have the logs from my collection of development environments going into a development index, that only the development user is allow to see and search.
I want to do the same thing for a collection of other environments and users.
What's the easiest approach to this? The buckets are qualified by the hostnames the logs are coming from.
Thanks
... View more