Getting Data In

Can you help me send data to cloud as well on-premise servers?

Explorer

We have a requirement to send data from our HF server to Splunk cloud indexers as well as on-premise indexer.

So, Windows index data has to go to only the cloud indexer. The rest of the indexer data goes to the on-premise indexer server.

I have tried to put outputs.conf like this:

TCPout
defaultgroup=onpremindex
[tcpout:onpremindex]
server=ip:9997
forrwardedindex.1.blacklist= windows

[tcpout:splunkcloud]
forrwardedindex.1.whitelist= windows

But, it's still not woking. It may be tcp_routing will work, so looking for suggestions.

0 Karma