You could try the example in the documentation, which will work, and also ensure you don't get duplicate data.
#
# The following example shows how to route events to syslog server
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#
# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
# attribute:
[default]
TRANSFORMS-routing=errorRouting
[syslog]
TRANSFORMS-routing=syslogRouting
# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
# and syslogRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_SYSLOG_ROUTING
FORMAT=errorGroup
[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
# outputs go to with servers or groups:
[syslog]
defaultGroup=everythingElseGroup
[syslog:syslogGroup]
server = 10.1.1.197:9997
[syslog:errorGroup]
server=10.1.1.200:9999
[syslog:everythingElseGroup]
server=10.1.1.250:6666
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf?utm_source=answers&utm_medium=in-comment&utm_term=outputs.conf&utm_campaign=refdoc#outputs.conf.example
... View more