I'm trying to use Heavy Forwarders (HF) to route and filter data to another Splunk setup outside of mine. My goal is to send only sourcetype=log4net matching a REGEX (let's say ClientName). I managed to do this but the client requested that I change also the index to where I sent which totally messed up my solution.
Trying to make it short: index=main sourcetype=log4net with ClientName should be routed to the client, index=main sourcetype=iis whatever should not. Any help is deeply appreciated!