Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewa...
See more...
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewall by default it'll end up in the 'netfw' index. Instead, I want all events that would have gone to 'netfw' to go to, for example, 'site1_netfw'. I attempted to do this using the splunk_metadata.csv file but I now understand I've misinterpreted the documentation. I had used 'netfw,index,site1_netfw' but if I understand correctly, I'd actually need to have a seperate line for each key such as 'cisco_asa,index,site1_netfw'. Is that correct? Is there a way to accomplish what I want without listing each source key? Thanks