the issue here is when i use default-group all the data will be forwarded to the default-group address even tcpout:apacheLinux
and when i remove default-group from outputs.conf ,data is forwaded correctly to the 2 different indexers
here the example that i have followed in splunk official documentation
syslogGroup and errorGroup receive events according to the rules specified in transforms.conf. All other events get routed to the default group, everythingElseGroup.
Thank you but In splunk official documentation (last example) they said " All other events get routed to the default group, everythingElseGroup" that means syslogGroup and errorGroup will be forwarded to the right place not the defaultgroup.