In short I have a heavy forwarder that is receiving a bunch of data from a syslog feed. The forwarder will then send the data to my indexer group specified in outputs.conf. I also want to forward a subset of this data to 3rd party application on a different server as well. Fortunately this subset of data is coming from the same host.
I have tried a configuration with props.conf and transforms.conf to route the data from this specific host. I then didn't see this subset of data on my indexers. So would it be possible to have this subset of data be filtered and routed on the Heavy forwarder to a 3rd party application and at the same time sent to an index on my indexer group?
... View more