Hi Splunkers,
here are my 3 configuration files transforms,props,outputs
/// props.conf
[host:firstClient]
TRANSFORMS-routing=apacheWindows
[host:secondClient]
TRANSFORMS-routing=apacheLinux
/// transforms.conf
[apacheWindows]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=apacheWindows
[apacheLinux]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=apacheLinux
// outputs.conf
[tcpout]
defaultGroup = default-group
[tcpout:apacheWindows]
server=192.168.1.25:9997
[tcpout:apacheLinux]
server=192.168.1.24:9997
[tcpout:default-group]
server=192.168.1.25:9997
the issue here is when i use default-group all the data will be forwarded to the default-group address even tcpout:apacheLinux
and when i remove default-group from outputs.conf ,data is forwaded correctly to the 2 different indexers
here the example that i have followed in splunk official documentation
/////
[tcpout]
defaultGroup=everythingElseGroup
[tcpout:syslogGroup]
server=10.1.1.197:9996, 10.1.1.198:9997
[tcpout:errorGroup]
server=10.1.1.200:9999
[tcpout:everythingElseGroup]
server=10.1.1.250:6666
syslogGroup and errorGroup receive events according to the rules specified in transforms.conf. All other events get routed to the default group, everythingElseGroup.
//////
Thank you.
... View more