Unfortunately, the "filtering" is applied to a particular input (there is no filtering capability as such on Universal Forwarder - the black/whitelisting is a functionality of this particular input). So you can't get two different data streams from a single input. And most of the metadata is specified also at the input level (no advanced manipulation on UF, so no props/transforms) so the most you can do - as others already pointed out is to route the events to two destinations. It's the destination HF/indexer that you can try to manipulate the metadata on further (i.e. rewrite the index, source, sourcetype and so on). ... View more

The most likely cause (apart from an error in transfer but that should trigger an error in unpacking the software) is that you downloaded a release for a wrong architecture (i.e. you're trying to run a 64-bit executable on a 32-bit machine).   ... View more

Please tell me your requirements. In usual, splunk don't use 8080 port. ... View more

This indeed did fix the issue. Thanks for the help. ... View more