I am forwarding the logs from the heavy forwarder using the outputs.conf and as a result all the internal logs have been forwarded as well.
Is there a way to search the _internal logs internally in that instance itself. There is a dashboard provided for an Addon for that heavy forwarder .. it cannot run as there are the internal logs cannot be searched .
You will want to configure TCP routing to handle the sourcetypes separately.
One way is to leave
indexAndForward=false globally, and re-route your internal logs to add that parameter for the tcpout group.
[splunkd] (or if nothing else is generated 'on' the host you could use host? to save doing it for each sourcetype) TRANSFORMS-routing=internal
[internal] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=internalLogs
[tcpout] defaultGroup=default [tcpout:internalLogs] indexAndForward=false server=your_indexer:9997 [tcpout:default] server=your_indexer:9997
Another approach is to use forwardedindex which is covered in that doc.
well you might have set the parameter
indexAndForward=false in the outputs.conf which will not store a copy of the data on the heavy forwarder and instead only send the data to your indexers.
If you want to do what you are planning you have to set the parameter to true.