I have a firewall index that is currently receiving syslog data. From that data I want to copy only certain logs from the firewall and send them to another folder so that the UF can send them on to a different index. I do not want to change the original firewall data, but merely make a copy of the data that I want to be sent to another path. An example is below.
Scenario:
I have an index=firewall. It ingests subnets 10.10.x.y, 10.20.x.y and 10.30.x.y. I want to take any data concerning to subnet 10.20.x.y and copy them into another index (index=firewall2).
Outcome: index=firewall has 10.10.x.y, 10.20.x.y, and 10.30.x.y. index=firewall2 has 10.20.x.y
How can this be achieved?
Will this increase my volume consumption?
If it does increase my volume ingestion, is there a work around? (Could something be done post ingestion?)
... View more