I am working on a data stream coming into Splunk via a TCP port input, and have the requirement to store two versions of the data into two different indexes. One version will be exactly as it comes in, and the other version will have sensitive data masked before it is indexed.
I know how to do the data masking itself, and I know how to change index name at index time, but I can't seem to figure out how to put these two things together to be able to do what I need to do.
Does anyone out there know how to do this?
... View more