While i was working on a few transforms I pointed my forwarder to a "test" index. Once I got the transforms working the way I wanted to, I tried to point the forwarder back to my "main" index, but it doesn't seem to be picking up my change. I've restarted the Windows Universal Forwarder service a few times with no effect. Here's the inputs definition from $SPLUNK_HOME/etc/system/local/inputs.conf (on the forwarder):
[monitor://D:\LogFiles\W3SVC1] disabled = 0 index = main whitelist = ex(\d+).log sourcetype = iis-2
The indexer continues to insert these events into the "test" index instead of "main". Any ideas why this is happening?
Can you verify that your indexer(s) is not affecting the target index. Any index routing props/transforms defined based on host/source/sourcetype for this data could be affecting the target index.