Hi @raomu You need to correct your `outputs.conf` configuration as you have a duplicate stanza name "[tcpout: splunkonprem]" and you haven't defined the "splunkcloud" output group. Additionally, t...
See more...
Hi @raomu You need to correct your `outputs.conf` configuration as you have a duplicate stanza name "[tcpout: splunkonprem]" and you haven't defined the "splunkcloud" output group. Additionally, the defaultGroup setting in the [tcpout] stanza determines where data goes if an outputgroup is not specified in inputs.conf. To send only "dd-log-token2" data to both destinations and all other data only to On-Prem (as implied by your goal), configure outputs.conf [tcpout]
# Data without a specific outputgroup goes here
defaultGroup = splunkonprem
forceTimebasedAutoLB = true
[tcpout:splunkonprem]
# Your On-Prem indexers
server = zyx.com:9997, abc.com:9997
[tcpout:splunkcloud]
# Your Splunk Cloud forwarder endpoint
server = <your_splunk_cloud_inputs_endpoints>:9997 Add other relevant settings like compressed=true, useACK=true if needed and any required Splunk Cloud specific settings (e.g., sslCertPath, sslPassword if using certs) inputs.conf on Heavy Forwarder [http://dd-log-token1]
index= ddlogs1
token = XXXXX XXX XXX XXX
[http://dd-log-token2]
index= ddlogs2
token = XXXXX XXX XXX XXX
# This overrides defaultGroup and sends to both
outputgroup = splunkonprem, splunkcloud
[http://dd-log-token3]
index= ddlogs3
token = XXXXX XXX XXX XXX Explanation: outputs.conf/[tcpout]/defaultGroup: Sets the default destination(s) for data that doesn't have a specific outputgroup assigned in inputs.conf. In this corrected example, data defaults to "splunkonprem" only. outputs.conf/[tcpout:groupname]: Defines named output groups. You need one stanza for each group (`splunkonprem` and `splunkcloud`) with the correct server details. Stanza names must be unique. inputs.conf/[stanza]/outputgroup: Assigns data from that specific input stanza to the listed output group(s), overriding the defaultGroup. The setting "outputgroup = splunkonprem, splunkcloud" sends data from [http://dd-log-token2/] to both defined groups. Further Troubleshooting: Can you see your Splunk Forwarder establishing a connection to Splunk Cloud successfully? We need to rule out connection issues to Splunk Cloud which arent related to the outputgroup. Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for errors setting up the connection. Ensure the Splunk Cloud inputs endpoint (`<your_splunk_cloud_inputs_endpoints>:9997`) is correct for your stack. There are often ~12 input servers listed. Verify network connectivity (firewall rules) from the Heavy Forwarder to both your On-Prem indexers and the Splunk Cloud inputs endpoint on port 9997. Restart the Splunk forwarder service after applying configuration changes. Useful Docs: outputs.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf inputs.conf (HTTP Event Collector section): https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29 Forward data based on source, sourcetype, or host: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_input_configuration Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing