I have a use case where I need to store pii data in one index and sanitized data in another index. I can use the clone_sourcetype, which works, but the problem is I also want to take the generic data that has no PII data and put it in a third index. The idea is as follows:
1). store non-pii data in index1
2). store pii data in a protected index2
3). store the same pii data, but sanitized in a general index3
---incoming data
- no queries send to index1
- has queries send to index2
- send duplicate of index2 to index3 and sanitize with sed / transforms etc
↧