I have a splunk instance with an alert manager app that is producing logs that are being indexed on the same machine as index=alerts.
I would like to forward this data to another splunk instance, without use an universal forwarder, but only changing the outputs.conf file in splunk.
Using this system, I m forwarding ALL the logs are contains in my splunk istance to the other one, but I would like to send only index=alerts.
How can I change the inputs/outputs.conf to allow this?
Outputs.conf: in “$splunkhome$/etc/system/local/outputs.conf Something like what is below:
defaultGroup = local
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = alerts
[tcpout:whatever] -- Whatever it is set to now should work if it is already forwarding everything.