Hi all,
I currently have a scheduled search that runs every minute and filters certain events for the previous minute and then creates a summary index.
However, I got to wondering whether this would be better done within the transforms.conf using REGEX and DEST? The only problem that I would have is that the events would be 'split' over the two indexes. What I would, ideally, like to achieve is - all events go to index 1 and REGEX filtered events go to index 1 AND index 2.
Is this at all possible?
Would another approach be to create multiple Monitor stanzas for the same log file in my universal forwarder inputs.conf to send ALL the events to the two indexes and use transforms.conf to send any events that I don't want in index 2 to a null index?
Thanks for any advise,
Mark.
↧