I have been trying to figure this out for a few days, and I am not getting anywhere.
I have specific data coming in on one server/directory that has a UF installed on it that I want to send to a specific Indexer/Index. Windows logs go to the index cluster, and the PII data needs to go to a stand alone indexer.
So, here is what I have currently,
**** OUTPUTS.CONF ****
[tcpout]
defaultGroup = ihf_cluster
[tcpout:ihf_cluster]
autoLB=true
server = 10.10.10.1:9997, 10.10.10.2:9997,10.10.10.3:9997,10.10.10.4:9997
[tcpout:Fraud]
server = 10.10.10.100:9997
**** INPUTS.CONF ****
[monitor:/E:\fraudlogs]
disabled = false
sourcetype = PII
index = PII
_TCP_ROUTING = Fraud
↧