Adding the receiving indexer via outputs.conf

The receiving indexers can be directly added to the outputs.conf configuration file on the Universal Forwarder. Edit $SPLUNK_HOME/etc/system/local/outputs.conf, add your input, and then restart the UF. The following example configuration is provided, where two receiving indexers are specified. The [tcpout-server] stanza can be leveraged to add output configurations specific to an inpidual receiving indexer:

[tcpout] 
defaultGroup = default-autolb-group 
 
[tcpout:default-autolb-group] 
disabled = false 
server = mysplunkindexer1:9997,mysplunkindexer2:9997 
 
[tcpout-server://mysplunkindexer1:9997] 
[tcpout-server://mysplunkindexer2:9997] 

If nothing has been configured in inputs.conf on the UF, but outputs.conf is configured with at least one valid receiving indexer, the Splunk forwarder will only send internal forwarder health-related data to the indexer. It is therefore possible to configure a forwarder correctly and the forwarder be detected by the Splunk indexers, but not actually send any real data.