Hi there, If I have several splunk clouds and a heavy forwarder on-premise, how can I configure the heavy forwarder to send specific logs to a specific splunk cloud?
Can be achieved via the magic of props, transforms and outputs.conf on a heavy forwarder. Here are the steps.
[yoursourectype/host/source]
TRANSFORMS-routing=route_data_to_region1
TRANSFORMS-routing1=route_data_to_region2
TRANSFORMS-routing2=route_data_to_region3
[route_data_to_region1]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group1 #You can name the target group name mentioned in the outputs.conf of this region as well
[route_data_to_region2]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group2
[route_data_to_region3]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group3
[tcpout:target_group1]
server=<ip>:<port> #Enter your indexers' IP address and details
#Add more details like cert's path (Provided by Splunk for Splunkcloud) for TLS handshake, key's path and other configs as required.
[tcpout:target_group2]
server=<ip>:<port>
[tcpout:target_group3]
server=<ip>:<port>
Hope this helps,
##If this helps, please consider an upvote/accepting as an answer###