If I have a Windows 2008 R2 Server and I need to turn off the Splunk Event forwarder service for a couple of hours and the system is still operational and logging information to the Windows Event Logs, once the service is turned back on will it do a differential check and use timestamps with the current logs the central Indexer has? Are those 2 hours of logs not going to get forwarded properly and must be manually sent to the Indexer or will they get sent in an automated batch once the service comes back online?
When I installed the Windows Event Forwarding service, I noticed it pushed all logs on the source server that was inside the Windows Event logs, so I am hoping it works the same if you turn the service back on, it runs a timestamp or delta check and pushes all missing logs to the Indexer.
As long as you are not using current_only=1
In your inputs for the win event stanzas then it will recover where it left off.
By the sounds of it you did not set this (otherwise it would not have imported historic logs when you installed), but it’s worth checking to make sure it has not been enabled by someone else.