yes. I created index AAA on indexer. AAA is just an example, my actual index is like my_index_aaa 

Did you got anything to this new index?

What MC (monitoring console) is saying about this index, when you are looking it?

Does i need config in data input HTTP EVENT COLLECTOR?

In normal case installing DBX 3.x will configure HEC locally and you don't need to do anything for it. Of course if you want you can configure it manually e.g. with your normal VIP for HEC, but I prefer that which come with DBX in most cases.

And as you already get those event to splunk, but into wrong index, HEC is working. But it seems that there are somewhere wrongly configured props.conf and/or transform.conf which change the indexes where those events goes. Or for some reason indexers don't recognise your new index, but if those old DBX versions is using it then this is not true at this case.

Can you try "splunk btool props.conf list <sourcetype> --debug" on every node which are part of path from DBX HF to Indexer. If needed check also source and host same way.

r. Ismo

i tried to set sourcetype=dbx2 in HEC, it work, lok. i dont know why.

Anw thanks your response!

I have 3 heavy forwaders, 2 HF installed splunk db connect 2.4.1 it work fine. I create 3th HF and install splunk db 3.5.1 it doesn't work forward right index.

I see this index in both MC and indexes.conf file on deployment-server.