Our Splunk 6.1.5 environment is on Linux. We have universal forwarders installed on our windows machines. They are already forwarding data to index "os_windows". I have another index "test_application_index" that some of my servers are forwarding other types of logs. Now, I also need to forward the Windows event log "application" to this "test_application_index".
I know that I can add the following lines to "inputs.conf" file for the second app(index), but I am not sure if it is the correct way as we already have this information in "os_windows" and by doing this, we are indexing that data twice.
Any suggestions?
[WinEventLog:Application]
disabled = false
index=test_application_index
... View more