diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 2821f62b4..b0c96de72 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -56,7 +56,7 @@
 {% endif %}
 
 {# Open Postgres (5432) to minion hostgroups when Telegraf is configured to write to Postgres #}
-{% set TG_OUT = (GLOBALS.telegraf_output | default('INFLUXDB')) | upper %}
+{% set TG_OUT = salt['pillar.get']('telegraf:output', 'BOTH') | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 {%   if role.startswith('manager') or role == 'standalone' or role == 'eval' %}
 {%     for r in ['sensor', 'searchnode', 'heavynode', 'receiver', 'fleet', 'idh', 'desktop', 'import'] %}
diff --git a/salt/global/defaults.yaml b/salt/global/defaults.yaml
index d041306a7..92b9c1c1a 100644
--- a/salt/global/defaults.yaml
+++ b/salt/global/defaults.yaml
@@ -1,4 +1,3 @@
 global:
   pcapengine: SURICATA
-  pipeline: REDIS
-  telegraf_output: BOTH
\ No newline at end of file
+  pipeline: REDIS
\ No newline at end of file
diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml
index 61646168f..31d9f8d3b 100644
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -59,13 +59,5 @@ global:
     description: Allows use of Endgame with Security Onion. This feature requires a license from Endgame.
     global: True
     advanced: True
-  telegraf_output:
-    description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation.
-    options:
-      - INFLUXDB
-      - POSTGRES
-      - BOTH
-    global: True
-    advanced: True
     helpLink: influxdb
 
diff --git a/salt/postgres/telegraf_users.sls b/salt/postgres/telegraf_users.sls
index cab65d8a8..6bcf0900c 100644
--- a/salt/postgres/telegraf_users.sls
+++ b/salt/postgres/telegraf_users.sls
@@ -7,7 +7,7 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% set TG_OUT = (GLOBALS.telegraf_output | default('INFLUXDB')) | upper %}
+{% set TG_OUT = salt['pillar.get']('telegraf:output', 'BOTH') | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 
 # docker_container.running returns as soon as the container starts, but on
diff --git a/salt/postgres/tools/sbin/so-stats-show b/salt/postgres/tools/sbin/so-stats-show
index 102b51ccd..3cf7a05d8 100644
--- a/salt/postgres/tools/sbin/so-stats-show
+++ b/salt/postgres/tools/sbin/so-stats-show
@@ -24,7 +24,7 @@ Shows the most recent CPU, memory, disk, and load metrics for each host
 from the so_telegraf Postgres database. Without an argument, reports on
 every host that has data. With a host, limits output to that one.
 
-Requires: sudo, so-postgres running, global.telegraf_output set to
+Requires: sudo, so-postgres running, telegraf.output set to
 POSTGRES or BOTH.
 EOF
   exit 1
@@ -56,7 +56,7 @@ so_psql() {
 }
 
 if ! docker exec so-postgres psql -U postgres -lqt 2>/dev/null | cut -d\| -f1 | grep -qw so_telegraf; then
-  echo "Database so_telegraf not found. Is global.telegraf_output set to POSTGRES or BOTH?"
+  echo "Database so_telegraf not found. Is telegraf.output set to POSTGRES or BOTH?"
   exit 2
 fi
 
diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml
index ef6c2bc77..ead122b0a 100644
--- a/salt/telegraf/defaults.yaml
+++ b/salt/telegraf/defaults.yaml
@@ -1,5 +1,6 @@
 telegraf:
   enabled: False
+  output: BOTH
   config:
     interval: '30s'
     metric_batch_size: 1000
diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf
index d28dc7f96..ee13e33d0 100644
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -8,7 +8,7 @@
 {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
 {%- set MDENGINE = GLOBALS.md_engine %}
 {%- set LOGSTASH_ENABLED = LOGSTASH_MERGED.enabled %}
-{%- set TG_OUT = GLOBALS.telegraf_output | upper %}
+{%- set TG_OUT = TELEGRAFMERGED.output | upper %}
 {%- set PG_HOST = GLOBALS.manager_ip %}
 {%- set PG_SAFE = GLOBALS.minion_id | replace('.','_') | replace('-','_') | lower %}
 {%- set PG_USER = 'so_telegraf_' ~ PG_SAFE %}
diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml
index 40ae7fed8..4b9a2e3d1 100644
--- a/salt/telegraf/soc_telegraf.yaml
+++ b/salt/telegraf/soc_telegraf.yaml
@@ -4,6 +4,15 @@ telegraf:
     forcedType: bool
     advanced: True
     helpLink: influxdb
+  output:
+    description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation.
+    options:
+      - INFLUXDB
+      - POSTGRES
+      - BOTH
+    global: True
+    advanced: True
+    helpLink: influxdb
   config:
     interval:
       description: Data collection interval.
diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja
index 787691b13..385db02ae 100644
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -24,7 +24,6 @@
     'md_engine': INIT.PILLAR.global.mdengine,
     'pcap_engine': GLOBALMERGED.pcapengine,
     'pipeline': GLOBALMERGED.pipeline,
-    'telegraf_output': GLOBALMERGED.telegraf_output,
     'so_version': INIT.PILLAR.global.soversion,
     'so_docker_gateway': DOCKERMERGED.gateway,
     'so_docker_range': DOCKERMERGED.range,