Hello, I have 2 questions I am hoping someone can help me with.
I am trying to figure out how to categorize data based on host (ip) at a heavy forwarder that ultimately categorizes data based on a list of IP's
Examples:
1) Have data from host=x.x.x.x OR host=y.y.y.y ; sourceype=vendorA AND index=vendorA
2) Have data from host=a.a.a.a OR host=b.b.b.b; sourcetype=vendorB AND index=vendorB
Currently, I have a series of hosts logging to a heavy forwarder and the heavy forwarder sending that data over to an index cluster.. everything is working, but all the data ends up in MAIN and I would like to separate that data for both RBAC and extraction reasons.
I hope that makes sense... Any help would be appreciated.
Thank you,
Jamie
↧