Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure Universal forwarder to send only internal logs and discard rest of the data?

iparitosh
Path Finder
‎04-20-2020 10:38 PM

About our architecture -

  • All of our UFs send data to one UF. We call it Intermediate Universal Forwarder. (IUF)
  • IUF receives data and forwards it to splunkcloud.
  • IUF is our gateway to splunkcloud.

Goal-

  • I am building a Disaster Recovery component of this IUF.
  • When there is No DR Scenario in place, IUF needs to send only _internal logs to splunkcloud but when there is DR Scenario, it needs to send all logs to splunkcloud.
  • This way I will be able to track the UF status on all DR nodes as well and won't consume license from them when there is no DR Scenario in place.

If I can figure out how to send only _internal logs to splunk, I could bundle this configuration into a DR-Control app into the IUF.

How do I configure a UF to send only _internal logs (Both it's own and forwarded to it by other UFs) to it's default outputs.conf location (which in our case is splunkcloud) and discard all other data to null queue?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2020 11:44 PM

Hi @iparitosh,
at first, I think that you could use also the DR-IUF also in normal conditions, in this way all the other UFs divide the logs between the IUFs in normal activity and you have also less load on the main IUF, instead UFs send the logs to one of the IUFs when the other is down for maintenance or fault (Splunk manages faults).

Anyway, in you don't want this, there's a cold solution: you can enable and disable receinving on the DR-IUF, in this way, when receiving is disabled DR-IUF sends only internal logs (the UFs don't send their logs to this IUF), when it's enabled, it sends all the logs that receives from the UFs, the only problem is that this is a cold solution and you have to manually enable/disable receiving on the DR-IUF and restart Splunk on it.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...