I need to figure mine collection of universal forwarders to sent information to distinct tcp ports...
Basicaly:
*NIX sending to indexer on port 7700
Input A sending to indexer on port 7701
Input B sending to indexer on port 7702
and etc..
There's rarely a point in doing this. You can just send them all to the same port. The Splunk forwarding protocol includes identification of the source host (and the source file, the destination index, and other things) so there's usually not any need or advantage to using more than one port.
But if you really did need this for some reason (e.g., you're running multiple instances of Splunk on the host on different ports, or simply different hosts), you'd simply add a _TCP_ROUTING
key to the inputs clause:
_TCP_ROUTING = destA
where destA
is just the name of the output group in outputs.conf, e.g. destA
in [tcpout:destA]
I am not quite sure what you are looking to do. But if you are looking to configure a Universal Forwarder to forward all data to 3 different indexers for specific ports then you will want to create a stanza for each indexer in your outputs.conf file like this:
[tcpout]
defaultGroup=*
[tcpout:Nix]
server = xxx.xxx.xxx.xxx:7700
[tcpout:inputA]
server = xxx.xxx.xxx.xxx:7701
[tcpout:inputB]
server = xxx.xxx.xxx.xxx:7702
If you want some additional information from the Splunk documentation, here is a link for cloning data across indexes and here is a link for forwarding data to indexes.