Hello, Running Splunk Universal Forwarder 7.3.6 (build 47d8552a4d84) on CentOS 7. I am sending two logs -- suricata and bro - to indexers in AWS. The default splunk group for these two is lbssl I want to split the two up like so: suricata goes to lbssl (as it always has) bro goes to NAD Based on this thread: https://community.splunk.com/t5/Getting-Data-In/How-can-we-send-data-to-2-different-groups-of-indexers/td-p/280318 I have set my outputs.conf file #ESG_072114_03 [tcpout] defaultGroup = lbssl [tcpout:lbssl] compressed = true server = old-url.com:443 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = long-encrypted-password-goes-here sslRootCAPath = $SPLUNK_HOME/etc/apps/ssl_forwarder/cert/ca_chain.pem sslVerifyServerCert = false [tcpout:NAD] compressed = true server = new-url-for-bro-NAD-flow:443 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = another-long-encrypted-password-goes-here sslRootCAPath = $SPLUNK_HOME/etc/apps/ssl_forwarder/cert/ca_chain.pem sslVerifyServerCert = false and in inputs.conf for the bro app added routing option: [default] _TCP_ROUTING = NAD host=server-name-goes-here-01 Never get any data for old-url which is the suricata flow that got to splunk before changes. new-url-for-bro-NAD-flow does appear to get data. Any thoughts on what is incorrect/misconfigured or additional needed configs would be helpful.
... View more