stinkingpig
commented
6 years ago https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Propsconf "Props.conf is commonly used for: ...
- Overriding automated host and source type matching. You can use props.conf to: ...
- Routing specific events to a particular index, when you have multiple indexes."
luckyj5
rkitzman
Hello Splunk Team,
Good evening.
We have recently used the “Splunk Nozzle for PCF” tile in one of our PCF environments.
In this current tile, we don’t have an option to use multiple splunk indexes for multiple event types. For example, one index for ‘LogMessage’, one for ‘ValueMetric’ and so on and so forth.
Reason for this requirement: If we see a huge amount of Application logs that are flowing towards Splunk, then we have to stop that single index which we have configured inside the PCF Ops Manager GUI. We need to do this as we have some storage restrictions from Splunk’s end. And after that, we won’t be able to see any other system/component logs inside Splunk GUI as there was only 1 index and we have already stopped that index.
Possible Solution: If we can use multiple indexes for multiple event types instead of using one index for all the event types. Then we will have the flexibility to start/stop any particular nozzle/index.
We have sent exactly the same request to pivotal-cf-feedback@pivotal.io. And they have replied with the following.
Please let us know if you already have a solution on this requirement.
Regards, Arunava Basu