We have a well established Splunk app on an instance which is serving as a Search Head and an Indexer. However, there are some data there which needs to be forwarded to some other site, which hosts a different application. Some of the data comes from a modular input (receiving some TCP traffic), but there are others, like *hix TA, which we would also like to forward to that other app at a different site.
Is there any trick to do that? Any special settings I need to have in `inputs.conf` and `outputs.conf` to work properly and not disturb the main operation, which has quite a few indexes and wants its data locally?
↧