Can be achieved via the magic of props, transforms and outputs.conf on a heavy forwarder. Here are the steps.

• Select the log source, find its metadata value (host, source or sourcetype)
• in props.conf (Under the app where your inputs is kept or under system/local), put the following

[yoursourectype/host/source]
TRANSFORMS-routing=route_data_to_region1
TRANSFORMS-routing1=route_data_to_region2
TRANSFORMS-routing2=route_data_to_region3

• In the same directory, under transforms.conf, please put the following:

[route_data_to_region1]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group1 #You can name the target group name mentioned in the outputs.conf of this region as well

[route_data_to_region2]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group2

[route_data_to_region3]
REGEX=<Your regex to match the data that you want to send to this region>
DEST_KEY=_TCP_ROUTING
FORMAT=target_group3

• Now in outputs.conf under the same directory, you can route the data to your different SplunkCloud regions. Since its SplunkCloud, please add the certificate path and key like the one present in the certificate app.

[tcpout:target_group1]
server=<ip>:<port> #Enter your indexers' IP address and details
#Add more details like cert's path (Provided by Splunk for Splunkcloud) for TLS handshake, key's path and other configs as required.

[tcpout:target_group2]
server=<ip>:<port>

[tcpout:target_group3]
server=<ip>:<port>​

• Restart splunk service on the HF and the data routing shall begin.

Hope this helps,

##If this helps, please consider an upvote/accepting as an answer###