Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Configure Universal Forwarder to multiple SIEMs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure Universal Forwarder to multiple SIEMs
Hopefully a straight forward question, can the SPLUNK universal forwarder (or the SPLUNK heavy forwarder) send to different SIEMS? For example if I configured the SPLUNK UF to send to (1) a SPLUNK indexer and (2) a 3rd-party SIEM would this work? I understand that the configuration can only have 1 active link at a time. I can't "load balance" these as the SPLUNK indexer and the 3rd-party SIEM might take a different log format.
Same question applies to the Heavy Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk forwarders can forward raw data to non-Splunk systems over a plain TCP socket or packaged in standard syslog. Because they are forwarding to a non-Splunk system, they can send only raw data.
By editing outputs.conf, props.conf, and transforms.conf, you can configure a heavy forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk instances. You can filter the data by host, source, or source type. You can also use regular expressions to further qualify the data.
Data forwarding to third-party systems is one of several search result export methods that Splunk software offers
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Forwarddatatothird-partysystemsd
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I wanted to know more was by editing this configuration can I simultaneously send data to multiple SIEMS at the same time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I think you can assign multiple comma separated IP's for server = option.
You can see this answer for reference.
https://answers.splunk.com/answers/211403/how-to-configure-inputsconf-and-outputsconf-on-the.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding multiple IPs to the server = setting will cause Splunk to loadbalance across those destinations right? In order to send to multiple destinations simultaneously you need to set up multiple tcpout groups, just like the documentation you linked to in your answer explains.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah, that is there. Yes, you are right you need to create [tcpout] groups as well.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
