If events are coming in from heavy forwarder 1 to heavy forwarder 2, is is possible to change the index name on HF B in inputs.conf ?
for example:
I have source- A sending application-x logs to HF1, those application-x logs are coming in syslog format on port-123 udp,
source-A -------->port xyz/tcp on HF1 (inputs.conf configured to map that port to index_A)-------------->coming on port xyz/tcp to HF2 (define events to go to index_B in inputs.conf for port 321/udp?) ------> indexers (stores logs in index_B).
I want to take those logs and map it to index_B instead of index_A, is it possible???
changing from HF1 is not possible as no control on it.
additional question:
Source is same, 3 event types are coming on 3 indexes:
Source A (index_A1,index_A2,index_A3) on port xyz
Can we change those indexes to:
Source A (index_B1,index_B2,index_B3) on port xyz on HFs?
... View more