Splunk forwarder is running in the host and sending the audit logs to Splunk instances through HEC. Now i want to send debug logs to another instance through another HEC end point. Is that possible to configure to HEC end points in Splunk forwarder?
I would say use outputs.conf to do data cloning.
[tcpout] defaultGroup=my_instance1, my_instance2 [tcpout:my_instance1] server=<instance_1_ip>:9997 [tcpout:my_instance2] server=<instance_2_ip>:9997 [tcpout-server://<instance_1_ip>:9997] [tcpout-server://<instance_2_ip>:9997]
https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/Configureforwardingwithoutputs.conf
Ofcourse this will send all data to both the Splunk instance. If you wish to do just for that HEC input, you can use TCP_ROUTING.
Reference to implement TCP rounting - https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad
Judging from the docs, you could do the data cloning only with plain tcp outputs. Httpout doesn't seem to support multiple destinations.
