I have 10 indexers and run a bunch of daily reports on heavy volume, hosts and search load.
Recently one of the indexers dropped off all results and i only see 9 out of 10 on all my reports.
What could be causing this, possibly not forwarding _internal indexes, how can i resolve getting the indexer to show up on my reports again?
I'd check the state of the distributed search peers. An indexer will consume its own internal logs ($SPLUNK_HOME/var/log/splunk/*) locally, so if it's not showing up there, I'd guess that it can't be reached at all. Forwarding of the _internal logs shouldn't matter in that case.