I have a Splunk enterprise cluster which also needs to forward some logs to a completely separate Splunk cluster.
I couldn't easily find a way in my heavy forwarder config to sends logs locally to one index and to another index in the remote cluster.
In my outputs.conf I have [tcpout:local] and [tcpout:remote]
TRANSFORMS-routing = remote-routing
REGEX = .
DEST_KEY = _TCP_ROUTING
# route to local Splunk and remote Splunk
FORMAT = local,remote
How can I update this so that locally logs go to a syslog index (the default) and in the remote Splunk they go to an index syslog_xyz?
You'll need to use syslog stanzas in outputs.conf instead of tcp.
Such as this example taken from the documentation:
server = 10.1.1.197:9997
Though you'll also want to set type = tcp as udp is the default.
@stephenmuss have you been able to find a solution? I'm facing the same challenge.