https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300184#M56791 <P>I have universal forwarder with Splunk_TA_Stream and my app _server_app_audit where in inputs.conf I write <CODE>_TCP_Routing = mygroup1</CODE> or 2 at each app. After that, I write into outputs.conf <CODE>[tcpout:mygroup1 or 2]</CODE> <CODE>server = index1:9997 or 2</CODE> at each app but stream sends data to all indexes.</P> Tue, 29 Sep 2020 18:45:43 GMT Klimdy 2020-09-29T18:45:43Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300184#M56791 <P>I have universal forwarder with Splunk_TA_Stream and my app _server_app_audit where in inputs.conf I write <CODE>_TCP_Routing = mygroup1</CODE> or 2 at each app. After that, I write into outputs.conf <CODE>[tcpout:mygroup1 or 2]</CODE> <CODE>server = index1:9997 or 2</CODE> at each app but stream sends data to all indexes.</P> Tue, 29 Sep 2020 18:45:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300184#M56791 Klimdy 2020-09-29T18:45:43Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300185#M56792 <P>Can you please give sample configuration files to understand requirement more?</P> Mon, 02 Apr 2018 10:42:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300185#M56792 p_gurav 2018-04-02T10:42:33Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300186#M56793 <P>inputs.conf in Splunk_TA_Stream on forwarder:</P> <BLOCKQUOTE> <P>[streamfwd://streamfwd]<BR /> _TCP_ROUTING = testGroup <BR /> splunk_stream_app_location = <A href="https://my_indexer2:8000/en-us/custom/splunk_app_stream/" target="_blank">https://my_indexer2:8000/en-us/custom/splunk_app_stream/</A><BR /> stream_forwarder_id = <BR /> disabled = 0</P> </BLOCKQUOTE> <P>outputs.conf in Splunk_TA_Stream on forwarder:</P> <BLOCKQUOTE> <P>[tcpout:testgroup] <BR /> server = my_indexer2:9997</P> </BLOCKQUOTE> <P>and i have a second app on forwarder:</P> <P>inputs.conf in _server_app_my_app on forwarder:</P> <BLOCKQUOTE> <P>[monitor:///var/log/audit/audit.log]<BR /> _TCP_ROUTING = prodgroup <BR /> disabled = false <BR /> index = auditd <BR /> sourcetype = linux:audit</P> </BLOCKQUOTE> <P>ouputs.conf in _server_app_my_app on forwarder:</P> <BLOCKQUOTE> <P>[tcpout:prodgroup] <BR /> server = my_indexer1:9997</P> </BLOCKQUOTE> <P>Before, I had outputs.conf in /local but i deleted it and after that restart splunkforwarder. Deployment server is my_indexer1, i need stream data routing to my_indexer2 and linux:audit to my_indexer1, but stream data is routing on 2 indexer. </P> Tue, 29 Sep 2020 18:45:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-forward-data-from-UniversalForwarder-for-2-instances/m-p/300186#M56793 Klimdy 2020-09-29T18:45:45Z