We have an environment where we have Universal Forwarder ---> Heavy Forwarder ---> Indexer and would like to have the splunk_server metadata be the HF so that the information is easily separated out between HF. Please let me know how to set the splunk_server setting and make sure the indexer doesn't override it and put its own hostname in that location.
↧