I'm trying to change were universal forwarders information gets indexed.
Example:
Universal forwarder configured to send data to splunkserver:2222
On the Splunk server in my /etc/system/local/inputs.conf I have:
[splunktcp://2222]
index = notmain
However all the forwarded data goes into the main index.
Thanks
Adding index=notmain on the universal forwarder /etc/system/local/inputs.conf did the trick