Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to store 2 versions of an event into different indexes coming in on a TCP port?

ericplett
New Member
‎03-15-2016 06:19 AM

Hello,

I am working on a data stream coming into Splunk via a TCP port input, and have the requirement to store two versions of the data into two different indexes. One version will be exactly as it comes in, and the other version will have sensitive data masked before it is indexed.

I know how to do the data masking itself, and I know how to change index name at index time, but I can't seem to figure out how to put these two things together to be able to do what I need to do.

Does anyone out there know how to do this?

Thank you!

0 Karma
Reply

alemarzu
Motivator
‎03-16-2016 08:13 AM

Hi Eric,

Did you read the docs about Data Cloning with Heavy Forwarders ? Don't know if this works, but did you try something like this ?

[perfmon://Memory]
index = index1
sourcetype = original
disabled = 0

[perfmon://Memory]
index = index2
sourcetype = parse_me
disabled = 0

GL

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...