I am a Splunk novice and have created a splunk indexer cluster in a windows environment. I have two heavy forwarders gathering event log data from machines in each heavy forwarder’s specific subnet. When I log onto either indexer cluster member or the search head, I can see that event log data is being collected from both heavy forwarders in the Main index – good so far.
Now, on the Master Node, I updated the indexes.conf file (located at \etc\master-apps\_cluster\local) and created two new indexes – one index named Cat and one named Dog. After Distributing the Configuration Bundle, both indexers in the indexer cluster now show the Cat and Dog indexes – now this part is good.
I cannot for the life of me figure out how to get one heavy forwarder to forward all of the event log data it collected to go to the Cat index instead of the Main index and for the other heavy forwarder to forward to Dog instead of Main. Can someone help me? I appreciate assistance. Thanks!
↧