Hi community.
I receive the final answer from support team.
I have discussed the topic with one of our Senior Sustaining Engineering colleagues and we realised that the documentation doesn't seem to be totally accurate here. Whenever it talks about crash, it should also mention "splunk stop". These are the 4 main scenarios I would imagine in a simple forwarder-receiver topology:
List item
A. forwarder is crashing, while it is unable to forward data to the receiver (regardless if it's due to unreachable receiver, network issues or incorrect/missing outputs.conf or alike): in-memory data will not be moved into the persistent queue, even if the persistent queue still has got enough space to accomodate the in-memory queue data.
List item
B. forwarder is gracefully shut down, while it is unable to forward data to the receiver (regardless if it's due to unreachable receiver, network issues or incorrect/missing outputs.conf or alike): in-memory data will not be moved into the persistent queue, even if the persistent queue still has got enough space to accomodate the in-memory queue data.
List item
C. forwarder is crashing, but has been able to forward data to the receiver so far: persistent queue data will be preserved on disk, however in-memory data is very likely to be lost.
List item
D. forwarder is gracefully shut down, but has been able to forward data to the receiver so far: both persistent queue and in-memory data will be forwarded (and indexed) before the forwarder is fully shut-down. *
I will inform the documentation team about this missing detail.
Best regards,
Daniel
... View more