I know that there has been many variations of this question asked but I cannot seem to find the one that suites me.
We currently have a single indexer that receives various syslogs and UF data. Our parent company would like us to forward a subset of that data to them. (some of it by source field and some of it by host field)
I did read about sending to third party systems, but from what I took from this, you require to do his from another(separate) forwarder and not the indexer. How can I take the received data and send a subset based on certain criteria and forward it to the 3rd party?