We have our own build application which collects data from other devices, and builds a string with a Splunk friendly format.
We are considering to make the application deliver the data with tcp to the splunk forwarder.
My question:
If the SplunkForwarder for some reason cant reach the indexers (eg closed firewall port or lost network connection), for how long (or how much) data will be kept in the output queue?
I have found this setting in the ${SPLUNK_HOME}$/etc/system/default/server.conf:
[queue]
maxSize = 500KB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling interval is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s
However testing showed that more than 1 MB of data was kept in the queue when link was restored.
Can anybody show me in any direction where i can find some information on this?
Any help would be appriciated.
↧