OK. You can't "forward" already existing data. You need to search the indexes, create a "dump" of the results and push them to the other solution.

For the continuously incoming data you can either use syslog output on your indexers or a s2s output to an external component (either a HF or a third-party solution which can talk s2s). The caveat here is that it introduces additional complexity and possible points of failure on your indexers.

If your architecture had a separate HF layer before indexers through which all input streams went you could do that on that HF layer instead of indexers.

General forwarding to an external system solution is tricky to do well. You might want to engage PS or your local Splunk Partner.

Thank you for your detailed response!

If I were to implement a Heavy Forwarder (HF) in my architecture, would this be the correct approach? Additionally, would it be considered a best practice for forwarding data to an external system?

"Best practice" depends heavily on use case. There are some general best practices but they might not be suited well to a particular situation at hand. That's why I suggest involving a skilled professional who will review your detailed requirements and suggest appropriate solution.

I apologize for the mistake in my previous reply about forwarding data. To clarify, the data to be forwarded will be new data only.

Regarding your question, could you clarify what you mean by "how much data"? Are you asking about the data volume per day or the total size of all data?

The data to be forwarded comes from two indexers, and it includes all indexes.