Dears,
may i know how to configure splunk Heavy forwarder to store events locally in case of indexer unavailable ?
Hi ahmedhassanean,
if your requirement is to be sure that events will not be lost, you don't need any special configuration: Forwarders (Universal or Heavy) by default locally cache events when Indexers are down.
For this reason, if I must ingest syslogs I prefer to use two Heavy Forwarders instead directly receive logs on Indexers.
If instead your requirement is to access to events in search when an indexer is down, your question isn't a solution: in this case you have to configure an Indexers cluster.
Bye.
Giuseppe