I wanna forward all data from a hf to two splunk instances, not only something. 

Cannot I just use multiple defaultGroup?

How do I refer to all data in a props? For source host or source type. 

Thanks 

Yes, if you want to send everything to both locations then use the multiple groups in the defaultGroup as per my original post, however its important to understand the impact of doing this, for example a blocked output queue may block all processing depending how its configured. For example see dropEventsOnQueueFull info below. By default this is -1 which means that if 1 of your outputs is blocked, then it could fill the parsingQueue and ultimately stop logs being sent on to your other output until both outputs are available to receive data. This may not be an issue but worth understanding the implications.

dropEventsOnQueueFull = <integer>[ms|s|m]
* The amount of time to wait before the output queue throws out all
new events until it has space.
* If set to 0ms(milliseconds) or 0s(seconds) or 0m(minutes),
the queue throws out all new events immediately until it has space.
* If set to a positive number, the queue waits 'dropEventsonQueueFull'
seconds before throwing out all new events.
* If set to -1 or 0, the output queue blocks when it is full. This further
blocks events up the processing chain.
* If any target group queue is blocked, no more data reaches any other
target group.
* Using auto load-balancing is the best way to minimize this condition.
In this case, multiple receivers must be down (or jammed up) before
queue blocking can occur.
* CAUTION: DO NOT SET THIS TO A POSITIVE INTEGER IF YOU ARE
MONITORING FILES.
* Default: -1

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

So, please, what is the right solution, Filtering data is not for me, is there an example avaliable for my need please?

As it's been already said 3 or 4 times in this thread - you can set multiple default output groups.

Just be aware of the consequences which - again - were already mentioned.

If you want to send _all_ data to both destinations, you can just use two (or more) default groups. (see my remark about blocking though).

If you want to selectively route data, you need to either set one group by default and modify _TCP_ROUTE key by transforms when needed or set two groups and change _TCP_ROUTE when events are needed in only one destination.

Yes, this is the basic setup which should work. Be aware though that issues with _any_ output group will block _all_ outputs.