Hi there,
We have a legacy Splunk install and a new one. During migration we'd like traffic sent to both sets of indexers, there's a HF in the middle. Trouble is that the index names are different in the new world to the old. I'm wondering therefore if, as part of the data duplication I might configure on the heavy forwarder, might I re-write the destination index value at the same time? There are quite a few indexes involved as well. Ideally it would be good to have a lookup running but this might be a search time only thing I'm not sure.
Thanks.
↧