I'm using distributed Universal Forwarders in remote location in order to collect events from remote sites. To prevent data loss I configured persistent queue on disk for specific inputs.
input.conf
[udp://514]
connection_host = ip
index = remotelogs
queueSize = 1MB
persistentQueueSize = 10MB
sourcetype = syslog
Everything works perfect except the following case. While the UF is disconnected from Splunk Server the events received by UF are stored in memory. Even when the UF is gracefully stoped by using: _$SPLUNK_HOME/bin/splunk stop_ the events from memory are not saved to persistent queue on disk.
Dose anyone knows if this is a known issue or an bug? I didn't find any references on this issue.
Evaluated versions: 7.0.1 for both Server and UF.
↧