topic Preserve data on disconnected machine in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Preserve-data-on-disconnected-machine/m-p/561359#M100038 <P>I have a few endpoints with forwarders that need to be disconnected from the network for periods of time (up to a month in some instances). Since we forward Windows Event Log data (for security audits) to our indexer on the network, I do not want to lose any data and would like the forwarders to send all of the missing data to the indexer once they rejoin the network.</P><P>I have been reading about acknowledgement and persistent queues, but it seems that the forwarder still keeps some data in memory. I would like to eliminate or at least severely minimize the amount of audit data in memory that will be lost.</P><P>Can I combine the acknowledgement and persistent queue settings to achieve this? Can I set useACK=true and set maxQueueSize to something super small like maxQueueSize=1kb, then set the persistentQueueSize to an appropriate amount to cover the amount of time the forwarder will be disconnected? Is there a minimum limit to maxQueueSize?</P> Thu, 29 Jul 2021 12:58:08 GMT robertjollsdrs 2021-07-29T12:58:08Z Preserve data on disconnected machine https://community.splunk.com/t5/Getting-Data-In/Preserve-data-on-disconnected-machine/m-p/561359#M100038 <P>I have a few endpoints with forwarders that need to be disconnected from the network for periods of time (up to a month in some instances). Since we forward Windows Event Log data (for security audits) to our indexer on the network, I do not want to lose any data and would like the forwarders to send all of the missing data to the indexer once they rejoin the network.</P><P>I have been reading about acknowledgement and persistent queues, but it seems that the forwarder still keeps some data in memory. I would like to eliminate or at least severely minimize the amount of audit data in memory that will be lost.</P><P>Can I combine the acknowledgement and persistent queue settings to achieve this? Can I set useACK=true and set maxQueueSize to something super small like maxQueueSize=1kb, then set the persistentQueueSize to an appropriate amount to cover the amount of time the forwarder will be disconnected? Is there a minimum limit to maxQueueSize?</P> Thu, 29 Jul 2021 12:58:08 GMT https://community.splunk.com/t5/Getting-Data-In/Preserve-data-on-disconnected-machine/m-p/561359#M100038 robertjollsdrs 2021-07-29T12:58:08Z