I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ERROR events .
1. Need to filter out events with INFO using nullQueue (feasible)
2. DEBUG and ERROR events need to go to DEBUGINDEX and ERRORINDEX respectively (is this feasible?)
Is the second scenario feasible, and if so, how?
I have my data flowing from a universal forwarder to an indexer via heavy forwarder.
↧