Getting Data In

HF different index names for each target group

stephenmuss
Engager

I have a Splunk enterprise cluster which also needs to forward some logs to a completely separate Splunk cluster.

I couldn't easily find a way in my heavy forwarder config to sends logs locally to one index and to another index in the remote cluster.

In my outputs.conf I have [tcpout:local] and [tcpout:remote]

My props.conf

[syslog]
TRANSFORMS-routing = remote-routing

And transforms.conf

[remote-routing]
REGEX = .
DEST_KEY = _TCP_ROUTING
# route to local Splunk and remote Splunk
FORMAT = local,remote

How can I update this so that locally logs go to a syslog index (the default) and in the remote Splunk they go to an index syslog_xyz?

codebuilder
Influencer

You'll need to use syslog stanzas in outputs.conf instead of tcp.

Such as this example taken from the documentation:
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

Though you'll also want to set type = tcp as udp is the default.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Outputsconf#Syslog_output----

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

progre55
Engager

@stephenmuss have you been able to find a solution? I'm facing the same challenge.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...