I have inherited a Splunk installation from the previous administrator where there is a heavy forwarder **and** a UF installed on the same machine.
Since this is a bad practice in terms of performance, I am planning to remove the UF and copy the relevant inputs files to the Splunk Enterprise instance (which acts as a heavy forwarder).
How can I avoid re-indexing the same logs when copying the inputs configuration from the HF to the UF (mainly Windows Events)?
Thanks.
↧
