It's important to read the docs before you upgrade. They actually mentioned the intentions in their release notes if I remember correctly.
Usually you will have a single index.conf for your indexers which will include all of your index definitions altogether. Splitting this into several apps isn't really manageable. An app should not define an index for you.
Now the inputs.conf files do not have the index line in the stanza so how does the app know what index to send specific data to?
How does the Windows_TA app know to send [WinEventLog://Application] data to the winevent index?
The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index= parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.*
Why did Splunk do this?
What were their intentions?
Now all data gets sent to the main index 😕 **rolleyes