If any one could help me clarifying these ...that would help.
UniversalForwarder can send data at a time to "One" indexer only ?
A UF cannot be configured to send data to multiple indexes in the same splunk instance.
Is my understanding correct?
If I'm wrong about question1,
say I have two splunk instances (two different teams A & B using their own splunk, no relation at all).
However Team B wants some data from Team A. Team B is not allowed to install their forwarders in Team A's web servers. Team A's webservers have their own UF installed of their own Splunk Instance . Is there a way to send the data using Team A's UF's into Team B's splunk index ?
Universal Forwarder can send logs to many Indexers in two configurations:
So you can follow two approaches:
You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .
Team A doesn't use the data that Team B wants. Team A has set up their UF to get data from webserver that are different than Team B. The data that Team B's splunk instnce want is present in Team A's webservers, and they are thinking if they can get it using Team A's splunk UF that is already installed there.
yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_...
in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data.
Then they have to put in inputs.conf INDEXANDFORWARDROUTING= in the stanzas to send to both the indexers.