So we have a client system that has their own Splunk indexer.
For certain reasons they do not want their splunk universal forwarders sending logs to two separate indexers, but want to continue to have all their logs sent to their indexer, and then forward select indexes from their indexer to ours.
Most of the indexandforward items seem to require a heavy forwarder to work.
We are trying not to interfere with their current setup as much as possible and adding the heavy forwarder seems like it would be exactly that. Any thoughts would be greatly appreciated.
↧