How to route and filter data on the Heavy Forwarder to separate indexer groups?

We need to route and filter data on the heavy forwarder. We are having trouble configuring the routing of security logs to a Splunk instance specifically for security logs and the main Enterprise instance. We want to direct certain logfiles to our main indexers and/or a separate Splunk instance specifically for security. We want to send security data to the security instance and send windows application/system logs to both sets of indexers. We created an app on the heavy forwarder, however, it does not seem to be working as expected. Here is our props.conf: [WinEventLog:Application] TRANSFORMS-routing_Windows_=Windows_GIS_data_app [WinEventLog:Security] TRANSFORMS-routing_Windows_=Windows_GIS_data_sec [WinEventLog:System] TRANSFORMS-routing_Windows_=Windows_GIS_data_sys **Main index** [Perfmon:CPU Load] TRANSFORMS-routing_Windows_=Windows_splunk_main_data [Perfmon:Available Memory] TRANSFORMS-routing_Windows_=Windows_splunk_main_data [Perfmon:Free Disk Space] TRANSFORMS-routing_Windows_=Windows_splunk_main_data **Perfmon index** [Perfmon:PhysicalDisk] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data [Perfmon:CPU] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data [Perfmon:Memory] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data [Perfmon:MemoryStats] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data [Perfmon:CPUTime] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data [Perfmon:FreeDiskSpace] TRANSFORMS-routing_Windows_=Windows_splunk_perfmon_data Here is our transforms.conf: [Windows_GIS_data_app] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = ALL_INDEXERS [Windows_GIS_data_sec] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = GIS_INDEXERS [Windows_GIS_data_sys] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = ALL_INDEXERS [Windows_splunk_main_data] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = FARMERS_MAIN_INDEXERS [Windows_splunk_perfmon_data] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = FARMERS_INDEXERS Here is our outputs.conf: [indexAndForward] index=true selectiveIndexing=true [GIS_INDEXERS] indexAndForward = true [tcpout:GIS_INDEXERS] server=10.148.186.83:9997, 10.148.186.84:9997 [ALL_INDEXERS] indexAndForward = true [tcpout:ALL_INDEXERS] server=10.142.114.13:18017, 10.148.186.83:9997, 10.148.186.84:9997 [FARMERS_INDEXERS] indexAndForward = true [tcpout:FARMERS_INDEXERS] server=10.142.114.13:18015 [FARMERS_MAIN_INDEXERS] indexAndForward = false [tcpout:FARMERS_MAIN_INDEXERS] server=10.142.114.13:18013 Can anyone help to resolve the issue?