For on premise installations of Humio it is possible to specify that parsers that can ingest data into multiple repositories.
It can be useful to ship all data to one parser and have that parser ship data to many different repositories. For example if logs are being sent from a single source, it is possible to setup one parser that can parse all events from this source and decide which repositories to send events to.
If the Humio configuration variable
ALLOW_CHANGE_REPO_ON_EVENTS=true is set, then Humio allows ingest to any repository specified by the
repo tag. The
repo tag can be set by adding
repo as a tag and setting the
repo field in the parser, or by setting
#repo on the endpoints supporting setting tags directly (eg. the HEC endpoint). The ingest token used must be valid for the repository a request is made against, but allows redirecting through the
repo tag to any other repository. If the named repo does not exist then the event remains in the repo designated by the ingest token.
This is a potential security issue on a public API endpoint, so this option should only be used inside a trusted environment. For the same reason this feature is not enabled on Humio Cloud.