Configure forwarding data to two tcpout groups wit...

jg91 · ‎12-16-2022

Is it possible to configure heavy forwarders to send data to two tcpout groups (A,B) (outputs.conf) and don't block on group B failure?

We want to send all data to group A, and a subset of data (specific sourcetypes) to group B, but group B is in a remote location and our link to that location is not fully stable and we don't want to event loss in group A on link failures or group B failures.

[tcpout]

[tcpout:groupA]
server=indexerA1_ip:9997,indexerA2_ip:9997

[tcpout:groupB]
server=indexerB_ip:9997

gcusello · ‎12-16-2022

@jg91,

yes it should be possible: you have to configure a fork to send data to two groups of indexers following the instructons at https://docs.splunk.com/Documentation/Splunk/9.0.2/Forwarding/Routeandfilterdatad#Filter_and_route_e...

Sincerely I never tested this situation but If one group isn't available HF should cache those data and send them to the second group when available.

Ciao.

Giuseppe

Configure forwarding data to two tcpout groups without blocking on group failure.

heavy forwarder

indexer

intermediate forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation