Complex question here.
I have the following set up:
Universal forwarder[20G rotating file] -> Heavy Forwarder[props.conf, transforms.conf] -> Splunk Light [ 5G license ]
I'm tuning the heavy forwarder for filtering the log file (we only need a fraction of the log for analysis). props.conf and transforms.conf *seems* to be working now, but there was an error in it yesterday, causing it to send EVERYTHING, so we quickly exceeded our 5G Spunk Light limit and saw indexing stop.
In preparation for today's limit, yesterday I edited our props.conf and transforms.conf, but it seems to have filtered out *everything*. Some tweaking today, and a restart of the heavy forwarder and I see event flows in the Forwarder again... but..
I'm not seeing growth in today's events, I'm seeing growth in *yesterday's events*
**Question 1:**
Does the license exceeded cause the universal forwarder to *pause*? I would have expected events to *drop*.
**Question 2:**
Why did the filtered out events on the heavy forwarder's transforms.conf and props.conf not cause indexing to start at the time of the heavy forwarder restart?
**Question 3:**
How does the Universal forwarder handle log rotation? (Linux logrotate) For now, because the forwarder has not been restarted, I can see that it's reading the *old* log file, even though it's been rotated out (see output of lsof):
splunkd 30174 root 46r REG 253,2 36499146450 1073741961 /data/log/messages-20160513 (deleted)
↧