Thank you for your response , I have tried below but with that also same problem . 

codec => plain { charset => "UTF-8" }

codec => plain { charset => "UTF-16LE" }

That is what I wanted to confirm 🙂 . Do you have any suggestion what could be the other way to send logs using UF to logstash , I have tested TCP which is working but somehow it is sending splunk UF  internal logs too to logstash which I need to filter later at logstash level 

Whether via HTTP or TCP, the UF only sends data using the Splunk-to-Splunk protocol so cannot send successfully to Logstash.  I suggest using a Logstash agent, instead.

The sending of UF internal logs is a setting in an inputs.conf file.  Turning that off will not solve the above problem, however.

exactly , stopping internal logs at UF level does not work however at logstash level it worked . but yeah via HEC it is not possible it seems so far . Still waiting for others to respond may be we crack something amazing here collectively 🙂 . Thank you for response though 

You can make events generated by local inputs be sent to just one output group. But that will not be pretty.

You need to set _TCP_ROUTING key for each input stanza that you want to selectively manage. That means adding this to every single Splunk's own input. I'd just create a separate app and create inputs.conf in that app containing just this one setting per each input stanza.

EDIT: And one more thing - you cannot use both tcpout and httpout at the same time.

@richgalloway Shouldn't UF send raw data when sendCookedData=false on tcpout? Never tried it myself but the docs say so.

Well I was using this already as mentioned in my original post . 

You used httpout which doesn't use this option at all so I completely missed that.

Good find, @PickleRick !  The docs do imply one should set sendCookedData=false when sending to third-party systems.

@vikas_gopalPlease try that and report the results.

It is expected. By default Splunk sends all data to all output groups. You'd need to fiddle with event routing which can be tricky since UF normally doesn't do transforms.

so I tried this but end up with same problem 
UF--> HF(routing) --> LS( writing to a file) 

httpout is definitely not working/supported for logstash . 

It's not that httpout is not supported for logstash, it's that logstash cannot do s2s. 😉

Yes, it is confusing but despite sharing some of the low-level mechanics, s2s over http (which is httpout) has nothing to do with "normal HEC" .