All of our UFs send data to one UF. We call it Intermediate Universal Forwarder. (IUF)
IUF receives data and forwards it to splunkcloud.
IUF is our gateway to splunkcloud.
I am building a Disaster Recovery component of this IUF.
When there is No DR Scenario in place, IUF needs to send only _internal logs to splunkcloud but when there is DR Scenario, it needs to send all logs to splunkcloud.
This way I will be able to track the UF status on all DR nodes as well and won't consume license from them when there is no DR Scenario in place.
If I can figure out how to send only _internal logs to splunk, I could bundle this configuration into a DR-Control app into the IUF.
How do I configure a UF to send only _internal logs (Both it's own and forwarded to it by other UFs) to it's default outputs.conf location (which in our case is splunkcloud) and discard all other data to null queue?
at first, I think that you could use also the DR-IUF also in normal conditions, in this way all the other UFs divide the logs between the IUFs in normal activity and you have also less load on the main IUF, instead UFs send the logs to one of the IUFs when the other is down for maintenance or fault (Splunk manages faults).
Anyway, in you don't want this, there's a cold solution: you can enable and disable receinving on the DR-IUF, in this way, when receiving is disabled DR-IUF sends only internal logs (the UFs don't send their logs to this IUF), when it's enabled, it sends all the logs that receives from the UFs, the only problem is that this is a cold solution and you have to manually enable/disable receiving on the DR-IUF and restart Splunk on it.