We just implemented Splunk Connect for Kubernetes on our performance environment. Since the data is coming into via HTTP Event Collector which is only configured to one index, how will we differentiate/route the various application logs to different indexes that are coming into the HEC? I have an idea in mind using props and transforms, but I prefer not doing this because of the performance hit.
Is anyone using Splunk Connect for Kubernetes and if so, how did you set up the configuration so that different application logs go to separate indexes?
Unfortunately, we are not able to utilize the namespace to index routing feature because all of our applications are in one namespace. Is it a best practice to separate all application to an individual namespace? What if we have hundreds of applications?