one of the customers have a situation whereby there are 1000's of clients with Universal Forwarders in multiple network zones , trying to reach Splunk Heavy Forwarders which are also in multiple network zones. The network zones has to be specific due to security controls, but it is very hard to determine which zone the client (UF) beforehand. As of now, the outputs.conf are hand-crafted manually once the customer identifies which zone the UF is based upon.
I was thinking to push outputs.conf with **All** Heavy-forwarder-servers in outputs.conf, but I'm sure some of these cannot be reached from the clients. So my question is
1. How does the UF load-balance behave when it has all (say 10) servers in its outputs.conf list, but only can reach a subset (say 4) of them?
2. Will it throw error and cause failure on the client? or lot of error logs?
3. Is there mechanism whereby we can ask the UF not to try the receiver again if it fails N number of times?
↧