In my current setup, I want to forward only internal logs to Indexers in myOrg, whereas, some non-internal logs to Indexers of an external Org.

Below is my current outputs.conf, however, its not working as intended. I am seeing forwarder attempting to forward non-internal logs to myOrg's indexers as well.

[tcpout]
defaultGroup = Internal_indexers

#disable default filters
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.3.whitelist =

#Enable these
forwardedindex.4.whitelist = (_audit|_introspection|_internal|_telemetry)

[tcpout:Internal_indexers]
server = index01:9997

[tcpout:OrgA_indexer]
server = y.y.y.y:9997

Update:

Below is inputs.conf for non-internal log

[monitor://some_source.log]
index = abc
sourcetype = syslog
_TCP_ROUTING = OrgA_indexer