I am attempting to get a specific index from an internal splunk setup to an external one without clustering. Thus far I have been lead to believe that using indexandforward is the best option for this. I have 3 test systems sending their logs to the main index while one system is sending each WinEventLog log to their own index's security_logs, application_logs, etc, much like out client systems already are set to do. When I use the below setup with outputs.conf, transforms.conf and props.conf I get the WinEventLog:Security and System, and that is all (the Security being the only one I want to test), however for the one sending all their logs to individual indexes, I get EVERYTHING except those logs.
defaultGroup = splunkinternal,splunkexternal
server = xx.xx.10.19:9997
server = xx.xx.1.6:9997
Pull in specific indexes (index=security_logs) and only those specific indexes OR specify certain log files (WinEventLog:Security), without getting the others. Any assistance or links would be extremely helpful. See below for links I used to arrive where I am.