Hi!
I have several windows hosts with the Universal Forwarder and Splunk_TA_Windows installed. they are feeding into a heavy forwarder and being forwarded to SplunkCloud.
My Windows event logs from Splunk_TA_Windows are going into index "wineventlog".
I would like to use a non-standard index. I've tried editing inputs.conf on the heavy forw3arder and also tried changing transforms.conf and props.conf to re-direct but have had no luck.
Is it possible to make this change on the HF, or does it need to be made on each host? I'm getting the impression that changes like this to the Splunk_TA_Windows need to be made on each individual host. Can someone confirm this?
If it is possible on the HF how can it be done?
Thanks,
JG
↧