I have one missing event out of 168 events from our Universal Forwarder. I've already checked the internal logs and the file has been indexed "Batch input finished reading file=", but I cannot find this source on my index. I also tried to expand time range and nothing appears, then check if the forwarder was restarted on the time of file was index, but it is not.
Settings on my forwarder is:
**inputs.conf**
[batch://my_path]
move_policy = sinkhole
disabled = false
sourcetype = my_sourcetype
index = my_index
**outputs.conf**
[tcpout]
defaultGroup = default-autolb-group-forwarder
[tcpout:default-autolb-group-forwarder]
disabled = false
server = myIndexer:9997
useACK = true
↧