Hi, this seems to be based on [mysourcetype]. So, if an index gets dozens of sourcetypes treated in the HF, I will need to overrride each one of them individually. I need to redirect for a short period of time targeting nullQueue for the remaining of the day. All this is detected via alerts throttled upon thresholds crossing. Once the theshold crossed, I need a "kill switch" that would flush and data into an index based on an allowed ingestion threshold (plus 5%). I thought of overriding from MyIndex to nullQueue using props/transforms files but I need it to be simply and efficient. This needs to take precedence on all MyIndex related props/transforms that would still exist, but would simply be left aside. I would deliver "on the fly" an app that would contain props/transforms (all data targeting MyIndex redirect it to nullQueue) and restart my splunk HF service. at midnight, i would simple delete to "on the fly" an app and restart my splunk HF, falling back to the previously left aside exsiting MyIndex related props/transforms.
... View more
