Thanks, so do something like this?

[syslog]
defaultGroup = syslog:test_group1, syslog:test_group2
type = udp
priority = NO_PRI

[syslog:test_group1]
server = 10.X.X.1:514

[syslog:test_group2]
server = 10.X.X.2:514

It's a bit of a one-off configuration, and I'm not sure your results will be consistent, but this config combo should work. Though I can't be certain you won't get duplicate data.

[syslog]
defaultGroup = syslog:test_group1, syslog:test_group2
type = udp
priority = NO_PRI

[syslog:test_group1]
server = 10.X.X.1:514

[syslog:test_group2]
server = 10.X.X.2:514

I tried the above config and unfortunately it didn't work. It still only sent to one IP address. Here is the outputs.conf that I tried:

[syslog]
defaultGroup = syslog:test_group1,syslog:test_group2
type = udp
priority = NO_PRI

[syslog:test_group1]
server = 10.x.x.1:514

[syslog:test_group2]
server = 10.x.x.2:514

A number of things could cause that. Did you cycle Splunk after making the config change? Is the F5 using a wildcard on the IP? Have you tried commenting out test_group1 to verify data reaches test_group2?

Again, what you're trying to do is a one-off, and isn't really meant to be configured this way. It may honestly be time to re-think your approach on this.

Yes, I did restart Splunk. I didn't comment out test_group1 this time but did before I made this specific change and saw data going to group2. Thanks for your help.

You could try the example in the documentation, which will work, and also ensure you don't get duplicate data.

#
# The following example shows how to route events to syslog server
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#

# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
#    attribute:
[default]
TRANSFORMS-routing=errorRouting

[syslog]
TRANSFORMS-routing=syslogRouting

# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
#    and syslogRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_SYSLOG_ROUTING
FORMAT=errorGroup

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
#    outputs go to with servers or groups:
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf?utm_source=answers&utm_medium=...

I'm assuming that you are using two F5's for redundancy, but you can configure a single VIP across two clustered F5's (much easier in haproxy), and that would solve your issue.

Currently the 2 VIPs are on one F5. We had one VIP going to a 2 IP pool but saw that traffic was only going to a single IP in the pool. So we are now trying 2 VIPs with the 2 IPs in the pool's flipped so the first VIP goes to .3 and .4 in the pool and the second VIP goes to .4 and .3 in the pool. Make sense?

They are wineventlog - app/sec/sys

They are coming in to the HF via UF.

The data gets sent to an index cluster via another app/stanza on the HF and they look fine in Splunk.

Thanks!

Are you sending these as [syslog] to the 2 F5 VIPs because that is the only port open on those hosts?
Is the indexer cluster stanza using [syslog] and has to send via port 514(UDP) too?

No, the indexers are receiving the data via standard Splunk indexer port 9997. I'm sending via syslog to the F5 because thats the way the host behind the VIPs wants to see it.