Is there a way to forward data collected using [script] to multiple indexers using Splunk's load balancing feature? This is a TCP stream and am trying to implement this by using universal forwarder, and according to the documentation, it says:> Universal forwarders have a slight> disadvantage in that they can't switch> indexers when monitoring TCP network> streams of data unless they encounter> an End of File (EOF) marker in the> stream or an indexer goes down.
How and when could I introduce an EOF marker? Is there a setting in outputs.conf to do that or should my script handle this?
↧