Dear all,
may I ask a noob-question to the experts?
Currently I am forwarding Data from several forwarders (F_a, F_b, F_c) to a splunk indexer (S_a). So like this:
F_a
F_b --- > S_a (These are collected in 3 different Indexes: a, b, c)
F_c
for Research purposes I would now use all the data that is sent to S_a in another indexer (S_b). So like this
F_a
F_b ---- > S_a ---- > S_b
F_c
This can be done very easy of course by using the "Configuring Forwarding" in the mangement console. The challenge what I have is, that I want all the data comming from S_a to S_b to be collected in one single index, e.g. "abc". So in Terms of Indexes it is like this:
Indexes on S_a:
a
b
c
Index on S_b:
abc
The idea is then to feed all data from Indexes a,b,c (from S_a) to the single index abc (in S_b). And I would like to have that not "one time" but real time during forwarding.
Is that possible and how? In an ideal case, the Information about the original index can be kept in an additional field then.
best regards and thanks a lot for your answers in advance
... View more