What you are trying to achieve will unfotunately not work with an Universal Forwarder. We are takling about event routing, which needs to happen on a Heavy Forwarder.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Configure_routing
In your case, you would have to implement a routing transformation as follows:
props.conf
[WinEventLog://Security]
TRANSFORMS-1-routing = route_by_company1
TRANSFORMS-2-routing = route_by_company2
transforms.conf
[route_by_company1]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=company1
[route_by_company2]
REGEX=.*OU=secondCompany,DC=local,DC=domainName$
DEST_KEY=_TCP_ROUTING
FORMAT=company2
Your outputs.conf can stay as is.
I am not 100% sure if I did all stanzas correctly, but you should get the basic idea of what needs to be done. Important step: you need a Heavy Forwarder for that. If you can't install a HF on the Domain Controller, you should consider intalling an additional HF as intermediate forwarder, and send all your DC traffic to this HF, and do the routing there.
A last option would be filtering out the unwanted events on the company2 indexers, by sending them to the nullQueue instead of indexing. This however would mean you have to send the traffic to both companies, which might be a compliance issue. But that's something you have to consider.
... View more