Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Cloning Data on a Heavy Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @redgoat ,
It can be done like this (Assuming that each S3 has it's own separate input and host or source or sourcetype, preferably sourcetype)
Identify the input, which you want to send to a separate set of Indexers, obtain it's sourcetype and then On your HF, go to props.conf or create one in the local directory of the AWS add on and put the following:
[host/source/sourcetype_name_here]
TRANSFORMS-routing=newRouting
Now, under transforms.conf under the same directory (create one if its missing), put the following
[newRouting]
REGEX= . DEST_KEY=_TCP_ROUTING FORMAT=newGroup
Then, in outputs.conf under the same local directory (copy your main outputs.conf here and APPEND the following in it)
[tcpout:newGroup]
server=<ip of your indexers, where you want to send the data>:<port number>
If you aren't sure or don't use different sourcetypes, let me know and I'll suggest a different solution for it.
Hope this helps.
Thank you,
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Here is a link [ https://mk-datalab.blogspot.com/2021/09/splunk-hf-advanced-data-routing-cloning.html ] of an Article that reference Splunk Documentation and emphasize on the above way in more details and more data routing & cloning scenarios.
Please check ! and feedback me !
Thanks,
Mohamed Khalil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @redgoat ,
It can be done like this (Assuming that each S3 has it's own separate input and host or source or sourcetype, preferably sourcetype)
Identify the input, which you want to send to a separate set of Indexers, obtain it's sourcetype and then On your HF, go to props.conf or create one in the local directory of the AWS add on and put the following:
[host/source/sourcetype_name_here]
TRANSFORMS-routing=newRouting
Now, under transforms.conf under the same directory (create one if its missing), put the following
[newRouting]
REGEX= . DEST_KEY=_TCP_ROUTING FORMAT=newGroup
Then, in outputs.conf under the same local directory (copy your main outputs.conf here and APPEND the following in it)
[tcpout:newGroup]
server=<ip of your indexers, where you want to send the data>:<port number>
If you aren't sure or don't use different sourcetypes, let me know and I'll suggest a different solution for it.
Hope this helps.
Thank you,
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
