Consider my Splunk implementation as follows :
Syslog ----> Heavy Forwarder ---> Indexer
It's ok when i forward syslog to heavy forwarder and it goes to indexer . Selecting the specific index for each context is occurring at Heavy Forwarder layer . But the question is : can i forward universal forwarder logs to Heavy forwarder ? I need to filter the data at heavy forwarder layer . I just did this and this is what i got on indexer :
Check out this documentation on setting up an intermediate forwarder. An intermediate forwarder can be either a Universal or Heavy forwarder and is used a lot in Splunk Cloud architectures to limit the number of egress points.