Hi.
We are about to ingest logs from multiple suppliers, where the individual supplier has full control over their infrastructure.
My take was to to create a couple of heavy forwarders and dedicate a port to each supplier:
supplier_1 sends data to port 9991
supplier_2 sends data to port 9992
...
This part I think I have working.
The next problem is that I have a need to separate the data from supplier_1 from supplier_2, My thought was to create a index per supplier.
The problem is then how do I route data received from port 9991 to index_1 regardless of what is configured on the Universal Forwarder, except for Splunk stuff (_internal ...) the different suppliers might use the same source or sourcetype, so it is only the receiving port on the heavy forwarder I might use to separate the data.
Any help is much appreciated
Kind regards
↧