Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the splunk output group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like 000criblout).

rtcpout]# clone the stream to both cribl and splunk, but don't block if one is downdefaultGroup  = splunk,cribl_streamblockOnCloning = falseltcpout:cribl_stream]# sending to "default" WG in cloud with TLS enabledserver  = default.main.<instance>.cribl.cloud:9997sendCookedData = truesslRootCAPath  = $SPLUNK_HOME/etc/auth/cacert.pemuseSSL  = true

Thanks for the starter. Was curious about a standard other folks might follow i was unaware of. super helpful either way

I like the above method because I can drop this into a Deployment Server, create a new server class for it, and assign a subset of forwarders to it easily. No change in your default apps. To revert, just remove the servers from the ServerClass. Presto-change-oh, back to normal.

The approach is somewhat documented here as well https://docs.cribl.io/stream/sources-splunk/#config-splunk-fwd