We just implemented Splunk Connect for Kubernetes on our performance environment. Since the data is coming into via HTTP Event Collector which is only configured to one index, how will we differentiate/route the various application logs to different indexes that are coming into the HEC? I have an idea in mind using props and transforms, but I prefer not doing this because of the performance hit.
Is anyone using Splunk Connect for Kubernetes and if so, how did you set up the configuration so that different application logs go to separate indexes?
If different apps are in different k8s namespaces, there is a setting in helm config to enable it and choose specific index for default namespace.
Can you share some info on where I can find this helm config to route logs from a specific namespace to specific index ?
Thanks.
Unfortunately, we are not able to utilize the namespace to index routing feature because all of our applications are in one namespace. Is it a best practice to separate all application to an individual namespace? What if we have hundreds of applications?