Here is an example config that accomplishes this. I would recommend reading: http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf
[syslog] defaultGroup=nothing indexAndForward=true [syslog:serverX] server = beefysup01:514 [syslog:serverY] server = 10.1.12.10:514
Note: By default, all events will get sent to all configured target groups. To avoid this, you need to set defaultGroup=nothing ("nothing" can be any name that is not defined as a target group). Then you manually route data to the targets using props and transforms.
Note: This is an example of why you should receive different types of network inputs on different ports. If data feeds A and B were different kinds of syslog (say router data and proxy data), and if both were received on default syslog port 514, then you would have a hard time separating A from B.
[syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=serverX,serverY
Note: FORMAT is a comma separated list of target groups, which results in cloning of the data.
I believe that this could be more efficiently accomplished this way, assuming feed A comes in in port 1500, and B comes in on port 1600:
[udp:1500] _SYSLOG_ROUTING = nothing [udp:1600] _SYSLOG_ROUTING = serverX,serverY
[syslog] defaultGroup = none [serverX] server = x:1234 [serverY] server = y:1234