Splunk Universal Forwarder configuring multiple output servers

Configuring the Splunk Universal Forwarder to forward logs to multiple indexers or receivers can be done by editing the outputs.conf file located in the $SPLUNK_HOME/etc/local folder.

By default after the installation the outputs.conf file will look something this:

[tcpout]
defaultGroup = default-autolb-group 

[tcpout:default-autolb-group]
server = indexserver1:9997 

[tcpout-server://indexserver1:9997]

Which will forward logs to indexserver1 on port 9997.

To add a second independant server either 3rd party or Splunk then create a new group and sever entry as follows.

[tcpout:third-party-server-group]
server = thirdpartyindexer:997
sendCookedData = false 

[tcpout-server://thirdpartyindexer:997]

and modify the defaultGroup entry as follows

[tcpout]
defaultGroup = default-autolb-group, third-party-server-group

This will enable data to be sent to both groups and thus both servers. The extra entry sendCoockedData also tells the forwarder to send raw unprocessed logs to the 3rd party forwarder.

So ultimately the complete outputs.conf file will look like this:

[tcpout]
defaultGroup = default-autolb-group, third-party-server-group

[tcpout:default-autolb-group]
server = indexserver1:9997 

[tcpout-server://indexserver1:9997] 

[tcpout:third-party-server-group]
server = thirdpartyindexer:997
sendCookedData = false 

[tcpout-server://thirdpartyindexer:997]