before my question i want you to show my data-flow. the data-flow is like universal forwarder to heavy-forwarder and later to indexers. so, my question is, i am here trying to send same data to two different indexers using UFs through heavy forwarder to indexers. so is there any possible solution for this. i know we can send data or logs directly to indexers using UF but in my case i was only looking to forward data with heavy-forwarder ?
UF---> HF---> (indexerA, indexerB)
On your HFs: define multiple target groups in outputs.conf, one for each (set of) indexer(s), and then assign both target groups to the defaultGroup. The HF will then clone the data to both destinations.
Example here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf#...
[tcpout]
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server=10.1.1.197:9997
[tcpout:indexer2]
server=10.1.1.200:9997
Even though that mentions Universal Forwarder, it would look the same on a HF and since in your case it is the HFs connecting to the indexers, that is where you need to put the cloning config.