Getting Data In

How to configure an app's outputs.conf to forward data to a specific indexer?


Hi Experts,

We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.

The 4th app has a different indexer IP.

All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.

If I delete all 3 apps and keep only 4th one, it works.

Need your expert suggestion.

0 Karma


I am thinking one more way :

all 4 apps data to >> Heavy forwarder

From Heavy forwarder send 3 APPS index to Indexer 1

From heavy forwarder send 4th APPS index to indexer 2

Can any one help with Heavy forwarder configuration for this.

0 Karma


Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.

0 Karma

Splunk Employee
Splunk Employee

When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf

Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?

0 Karma


output.conf is same for all APPS, only group and indexer name is different

for 3 apps

groupname is : defaultgroup


for 4th apps

groupname is : group4

indexer :

0 Karma

Splunk Employee
Splunk Employee

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs

see: Route inputs to specific indexers based on the data's input

you can create a single outputs.conf with all target indexers defined



Then in inputs you can use TCP_ROUTING to point the inputs accordingly.

TCPROUTING = systemGroup

TCPROUTING = applicationGroup

0 Karma