Now this could be a case of RTFM, but I can't find this in TFM :)
I am trying to find some documentation on what the Universal Forwarder does when it can't connect to an indexer for various scenarios.
I am aware of indexer acknowledgement however that is really not what I want to know. I want to know how the UF will behave in various scenarios
http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Protectagainstlossofin-flightdata
So it is well documented that for TCP, UDP and script inputs.conf stanzas there are features for buffers and queues
queueSize = [KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = [KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* If set to some value other than 0, persistentQueueSize must be larger than
the in-memory queue size (set by queueSize attribute in inputs.conf or
maxSize settings in [queue] stanzas in server.conf).
* Persistent queues can help prevent loss of transient data. For information on
persistent queues and how the queueSize and persistentQueueSize settings
interact, see the online documentation.
Ref: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
If the indexer is not available, these queues will gradually fill until the indexer comes back online or the queues are full at which point other settings determine the behaviour of the UF.
What I can't find any documentation on is what happens to inputs for file monitor, WinEventLog, perfmon etc... when the indexer goes offline.
I'm confident that the indexing of these inputs pauses until the indexer returns. There is no need for a buffer because these events are already stored on the filesystem or within the OS. However I would like to find some documentation to show a customer who wants to know what the official behaviour is in this situation.
Then there is the other concern of rotating logfiles (while the indexer is offline) which is addressed in another Splunk answer (which I can't find right now)
↧