About our architecture -
Goal-
If I can figure out how to send only _internal logs to splunk, I could bundle this configuration into a DR-Control app into the IUF.
How do I configure a UF to send only _internal logs (Both it's own and forwarded to it by other UFs) to it's default outputs.conf location (which in our case is splunkcloud) and discard all other data to null queue?
Hi @iparitosh,
at first, I think that you could use also the DR-IUF also in normal conditions, in this way all the other UFs divide the logs between the IUFs in normal activity and you have also less load on the main IUF, instead UFs send the logs to one of the IUFs when the other is down for maintenance or fault (Splunk manages faults).
Anyway, in you don't want this, there's a cold solution: you can enable and disable receinving on the DR-IUF, in this way, when receiving is disabled DR-IUF sends only internal logs (the UFs don't send their logs to this IUF), when it's enabled, it sends all the logs that receives from the UFs, the only problem is that this is a cold solution and you have to manually enable/disable receiving on the DR-IUF and restart Splunk on it.
Ciao.
Giuseppe