Hi There,
I'm pretty new to the splunk. we have 3 physical splunk servers and all the forweders are forwarding to 1 and 2. All of sudden some searchs stopped working and rest are working fine. Dont know where to start from. Any help is much appreciated.
Thanks in Advance.
Splunk internal log is logging in /$SPLUNK_HOME/var/log/splunk/splunkd.log. Please confirm if there is any error or crash.
Have you tried running the searches which no longer work against a time frame where they were known to work to see if it's the search or the data?