I have UFs deployed to many systems monitoring Windows event logs. I need to stop the SplunkForwarder service on some of these systems for about a day to do some testing. Will the UF pick back up from where it left off in the event logs or will I lose the logs from the day that the service is stopped? Does the UF queue up incoming logs while it is stopped or does it have a place marker that it goes back to in the logs once it is turned back on?
↧