We've setup our search head to forward its data to our indexing cluster using http://docs.splunk.com/Documentation/Splunk/6.4.3/DistSearch/Forwardsearchheaddata
What we noticed is when restarting Search Head, it stops forwarding data until it comes back and hence we're missing some data.
For instance, the last line from splunkd.log that I can see in _internal index is:
**09-01-2016 14:13:02.838 +0100 INFO PipelineComponent - Performing early shutdown tasks**
and next event in _internal for that host is:
**09-01-2016 14:14:08.813 +0100 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s**
looking at splunkd.log on search head there are plenty of information between 14:13:02 and 14:14:08 such as :
**09-01-2016 14:13:44.234 +0100 INFO ShutdownHandler - Shutdown complete in 41.43 seconds
09-01-2016 14:13:44.234 +0100 INFO loader - All pipelines finished.
09-01-2016 14:13:56.884 +0100 INFO loader - win-service: Starting as a Windows service: will run various system checks first...
09-01-2016 14:13:56.884 +0100 INFO loader - win-service: Splunk starting as a local administrator**
Is this a known bug?
↧