At times, you may want to send events to a different index, either because they need to live longer than other events or because they contain sensitive information that should not be seen by all users. This can be applied to any type of event from any source, be it a file, network, or script.
All that we have to do is match the event and reset the index.
[contains_password_1] DEST_KEY = _MetaData:Index REGEX = Password reset called FORMAT = sensitive
The things to note are as follows:
- In this scenario, you will probably make multiple transforms, so make sure to make the name unique
- DEST_KEY starts with an underscore
- FORMAT does not start with index::
- The index sensitive must exist on the machine indexing the data, or else the event will be lost