According to this document: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Usepersistentqueues> The in-memory data can get lost if a crash occurs. Similarly, data that is in the parsing or indexing pipeline but that has not yet been written to disk can get lost in the event of a crash.
This only refers to a 'crash'. Does Splunk write the 500K of cached data to the persistent queue in the event of a clean shutdown of the forwarder or the machine?
↧