If I am about to shutdown my system, how can I make sure that the Splunk Forwarder has forwarded all log data off of the instance? In this case, the logs will be deleted when the system shuts down, so I want to make sure no log data goes missing.
You can't tell splunk to prevent a system from shutting down. However, you can run something like
tail -100 /opt/splunkforwarder/var/log/splunk/metrics.log | grep queue | grep tcpout
and make sure "current_size" = 0 before shutting it down.
What you mean by "my System",Is it a UF or Indexer?
