I have a Splunk enterprise cluster which also needs to forward some logs to a completely separate Splunk cluster. I couldn't easily find a way in my heavy forwarder config to sends logs locally to one index and to another index in the remote cluster. In my outputs.conf I have [tcpout:local] and [tcpout:remote] My props.conf [syslog] TRANSFORMS-routing = remote-routing And transforms.conf [remote-routing] REGEX = . DEST_KEY = _TCP_ROUTING # route to local Splunk and remote Splunk FORMAT = local,remote How can I update this so that locally logs go to a syslog index (the default) and in the remote Splunk they go to an index syslog_xyz ? ... View more