I have a Splunk setup defined like: Universal Forwarder ---->Heavy Forwarder ------>Indexer
I need that all the logs hitting my Indexer should go to specific index. Which option is better:
1) Configuring **index= new_index** in Universal forwarder's input.conf
2) Configuring **index= new_index** in Heavy forwarder's input.conf
3) Configuring **index= new_index** in Indexer's input.conf
↧