Hello fellow-splunkers!
**Problem Statement**
- My logs have INFO, WARNING and DEBUG log entries. The DEBUG log entries have customer-specific information which I wouldn't want to expose to a wider audience.
- I want some specific users in the team to have access to the logs with these DEBUG log entries. Others shouldn't be able to access it.
**My Solution**
- Create 2 indexes. 'index-normal' and 'index-debug'.
- Have roles and users created so that the access to these indexers is provided accordingly. Easy. Can be managed!
- At the forwarder, I have 2 segments - each corresponding to indexing the same log to a different index. Note that I am attempting to bypass the props.conf and transforms.conf at the indexer by using `queue = indexQueue` in one of the sections.
[monitor:///mypath/abc.log]
disabled = false
index = index-normal
sourcetype = mysourcetype
[monitor:///mypath/abc.log]
disabled = false
index = index-debug
sourcetype = mysourcetype
queue = indexQueue
- With the above configuration, I am attempting to index the same file twice and sending them to 2 separate indexes. One (index) going through the props.conf and transforms.conf configs at the indexer and the other (index-debug) bypassing it.
- At the indexer, I am stripping off the logs of log-entries which has the DEBUG string in it.
props.conf
[mysourcetype]
TRANSFORMS-null= setnull
NO_BINARY_CHECK = 1
pulldown_type = 1
transforms.conf:
[setnull]
REGEX = DEBUG
DEST_KEY = queue
FORMAT = nullQueue
Needless to say, this isn't working.
**Questions**
- Is this the best way to handle this situation? I am trying to index the same log twice (and maybe thats not happening). Is there a better approach by using some logic at the indexer end?
- If this is the approach which is to be used, where am I going wrong?
Thanks!
↧