All,
I have a Splunk heavy forwarder collecting data from various endpoints, which then passes up to the Indexers. We recently had a config error that disconnected the HF from the IDX for a few hours. Some data was lost, some was not.
We have PLENTY of disk space on Heavy Forwarders and our understanding was the HF would buffer/cache until the indexers came online. This does not seem to be true. Or was there a setting I simply missed?
thanks in advance,
-Daniel
↧