https://community.splunk.com/t5/Splunk-Search/How-can-I-index-logs-to-a-specific-splunk-cloud/m-p/599090#M208581 <P><SPAN class=""><SPAN class="">Hi there,</SPAN></SPAN> <SPAN class=""><SPAN class="">If I have several splunk clouds and a heavy forwarder on-premise, how can I configure the heavy forwarder to send specific logs to a specific splunk cloud?</SPAN></SPAN></P> Tue, 24 May 2022 14:28:50 GMT zcx01067 2022-05-24T14:28:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-index-logs-to-a-specific-splunk-cloud/m-p/599090#M208581 <P><SPAN class=""><SPAN class="">Hi there,</SPAN></SPAN> <SPAN class=""><SPAN class="">If I have several splunk clouds and a heavy forwarder on-premise, how can I configure the heavy forwarder to send specific logs to a specific splunk cloud?</SPAN></SPAN></P> Tue, 24 May 2022 14:28:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-index-logs-to-a-specific-splunk-cloud/m-p/599090#M208581 zcx01067 2022-05-24T14:28:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-index-logs-to-a-specific-splunk-cloud/m-p/599173#M208593 <P>Can be achieved via the magic of props, transforms and outputs.conf on a heavy forwarder. Here are the steps.</P><UL><LI>Select the log source, find its metadata value (host, source or sourcetype)</LI><LI>in props.conf (Under the app where your inputs is kept or under system/local), put the following</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">[yoursourectype/host/source] TRANSFORMS-routing=route_data_to_region1 TRANSFORMS-routing1=route_data_to_region2 TRANSFORMS-routing2=route_data_to_region3</LI-CODE><P>&nbsp;</P><UL><LI>In the same directory, under transforms.conf, please put the following:</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">[route_data_to_region1] REGEX=&lt;Your regex to match the data that you want to send to this region&gt; DEST_KEY=_TCP_ROUTING FORMAT=target_group1 #You can name the target group name mentioned in the outputs.conf of this region as well [route_data_to_region2] REGEX=&lt;Your regex to match the data that you want to send to this region&gt; DEST_KEY=_TCP_ROUTING FORMAT=target_group2 [route_data_to_region3] REGEX=&lt;Your regex to match the data that you want to send to this region&gt; DEST_KEY=_TCP_ROUTING FORMAT=target_group3</LI-CODE><P>&nbsp;</P><UL><LI>Now in outputs.conf under the same directory, you can route the data to your different SplunkCloud regions. Since its SplunkCloud, please add the certificate path and key like the one present in the certificate app.</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">[tcpout:target_group1] server=&lt;ip&gt;:&lt;port&gt; #Enter your indexers' IP address and details #Add more details like cert's path (Provided by Splunk for Splunkcloud) for TLS handshake, key's path and other configs as required. [tcpout:target_group2] server=&lt;ip&gt;:&lt;port&gt; [tcpout:target_group3] server=&lt;ip&gt;:&lt;port&gt;​</LI-CODE><P>&nbsp;</P><UL><LI>Restart splunk service on the HF and the data routing shall begin.</LI></UL><P>&nbsp;</P><P>Hope this helps,</P><P>##If this helps, please consider an upvote/accepting as an answer###</P> Tue, 24 May 2022 21:45:39 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-index-logs-to-a-specific-splunk-cloud/m-p/599173#M208593 shivanshu1593 2022-05-24T21:45:39Z