Events sent from one Universal Forwarder to another UF are going directly into the main index, even after I have specified index and sourcetype in the inputs.conf file on the receiving forwarder. How to avoid this?
inputs.conf on receiving forwarder
[splunktcp://9817]
index=test_logs
sourcetype=testlogs
↧