Good evening,
I was using DB connect and it was forwarding events to my indexers, searches were working and everything was great,
However the DBA then cleaned the source DB the events were coming from and now my index is empty, no events and no sourcetype, ,
Therefore a few questions,
1. Should I create my sourcetype on the SH as well as when its created on the HF (where DB Connect is installed).
2. When the source DB is cleaned and all events removed is it expected behaviour that it would remove events from the Splunk Indexes as well ?
Thanks
R
↧