I am trying to install a newer version of Splunk enterprise. As part of this, I want the universal forwarders to forward data to both new and old Splunk enterprise - Indexer masters.
Is there a way to do it? The new Splunk will have different indexes configured, while the old Splunk should not get affected which has its own indexes.
I read about 2 options 1. Multiple UF on the same machine (this is not supported by Splunk) 2. Cloning data in
transforms.conf
and sending the cloned data to new Splunk, to the index I want.
... View more