Yes I neglected to mention the possibility of forwarders dropping data if queues are exceeded, so josefa will want to check on that as you suggested.

Right, I'll check my logs, hopefully forwarders will still be queuing. Thanks both!

Hello again,

Not sure if I should post this here because it's like a follow up of the first question, or should I create a new question.

So, I got more space on my indexer, forwarders started sending data again (I checked logs before this, apparently no blocked queues, or dropped data) but I do not seem to see any data from the period my indexer was out of disk space. I thought I understood that forwarders will send data from the day the indexer failed. If not, how can I send the missing information?

Thanks

Thank you for your answer, and yeah, sorry, I was thinking in the indexing part especifically.

As I daily use 8 of a 10GB license, I was thinking that, as the way forwarders work (that is, if something happens and it stops/stop sending data, when it resumes, it starts sending data from the point it last sent it), the flow of data to the indexer won't be the usual per-day amount, but two or three days amount for each forwarder. So on my indexer, will I see that forwarders are sending more data than usual and thus exceed my license?

PS: not a native english speaker, hope I made myself clear, so you can help me.

Yeah you will probably exceed your licensed volume for the day but splunk will only raise a warning on your indexer for each 24 hour period in which you do this, you get 4 "passes" in the past 30 days before splunk raises a violation flag (on the 5th warning). At this point search is disabled until the warnings are cleared.

If you exceed your volume once to catch up your indexes, it does not matter by how much, it is still a single warning per 24 hour period so you should not have anything to worry about.