How to split multiple indices from one source

Sven Breier

Hi, we currently receive multiple data types (ad, dns, dhcp) in splunk via one source/port and split them with multiple input apps into multiple indices within the correct data.

How can we do that in Cribl? With multiple routes/pipelines to forward the data into the correct indices?
Thanks

Christopher Owen

If it is coming in via a single source, I would use a pre-processing pipeline on your source. You can use this to do the distinguishing characteristics to split the data however you need (i.e. specific source or data characteristic would indicate which index it belongs to.).

Once the data goes through the pre-processing pipeline, it can then be sent through the routes/pipelines and then to the destination(s) of your choosing.