We have a standalone system that has a Universal Forwarder on it. While working on the standalone, it should still be collecting data for Splunk. Once we remove the drive and place it on the network, the forwarder should pull that data into splunk even though work was being done in an “offline” state, right? We are not seeing that information. We see only the information from the time the drive is back “Online”. Is there a special configuration that needs to be done? Spunk Docs refer to a useACK=true command in the output.conf, but that doesn’t work.
↧