In my current setup, I want to forward only internal logs to Indexers in myOrg, whereas, some non-internal logs to Indexers of an external Org.
Below is my current outputs.conf, however, its not working as intended. I am seeing forwarder attempting to forward non-internal logs to myOrg's indexers as well.
defaultGroup = Internal_indexers
#disable default filters
forwardedindex.4.whitelist = (_audit|_introspection|_internal|_telemetry)
server = index01:9997
server = y.y.y.y:9997
Below is inputs.conf for non-internal log
index = abc
sourcetype = syslog
_TCP_ROUTING = OrgA_indexer