We have a index cluster with 10+ indexers running on Splunk version 6.6.1. Some of the indexed events suddenly went missing after a network disruption (dns outage) for few minutes. There are no error messages in splunkd.log indicating any issues, replication factor and search factor are ok and all indexers are up.
Events are missing in at least 2 indexes and they are recent events. All concerned indexes have sufficient retention time and the buckets haven't moved to cold storage yet.
What would be the possible reason for the issue? is there a way to recover the missing events?
Appreciate any pointers.
↧