I have my UF and indexer set up and what I want to do is sending both metrics and event data from UF to indexer.
from my understanding what I could do is set up two stanzas in **inputs.conf** of indexer like below
[tcp://9997]
connection_host = dns
index = event_index
sourcetype = syslog
[tcp://9998]
connection_host = dns
index = metric_index
sourcetype = syslog
and the idea situation would be sending metric data to `:9998` and event data to `:9997` separately
but the problem is it seems impossible to achieve this through configuring **outputs.conf** (I could send both data to both ports using the data cloning technique mentioned in doc, but that's not ideal)
So is there a way to achieve this separation of data forwarding?
↧