I have a universal forwarder (version 6.2.5) that is forwarding a monitored log file to an indexer. I want to add another monitored log file that should be sent to a different indexer.
I got this to work by adding a [tcpout:indexer2] stanza to the outputs.conf and using _TCP_ROUTING = indexer2 in inputs.conf for the new log file. However, the _internal index (splunkd.log etc.) is now being sent to both the original indexer and indexer2. I want the _internal index to be sent only to the original indexer. How can I configure the forwarder to make this happen?
Here are the outputs.conf and inputs.conf settings I am currently using:
**outputs.conf**
[tcpout]
defaultGroup = indexer1
[tcpout:indexer1]
server = server1:9997
autoLB = true
[tcpout:indexer2]
server = server2:9997
autoLB = true
**inputs.conf**
[monitor:///var/log/test1.log]
disabled = false
index = test
sourcetype = access_combined
[monitor:///var/log/test2.log]
_TCP_ROUTING = indexer2
disabled = false
index = test
sourcetype = access_combined
↧