Deployment Architecture

Missing events after network disruption


We have a index cluster with 10+ indexers running on Splunk version 6.6.1. Some of the indexed events suddenly went missing after a network disruption (dns outage) for few minutes. There are no error messages in splunkd.log indicating any issues, replication factor and search factor are ok and all indexers are up.

Events are missing in at least 2 indexes and they are recent events. All concerned indexes have sufficient retention time and the buckets haven't moved to cold storage yet.

What would be the possible reason for the issue? is there a way to recover the missing events?
Appreciate any pointers.

0 Karma

Esteemed Legend

Hi thol,
some additional information:

  • how do you receive events, by syslog or by Universal Forwarder?
  • if syslog, the network problem you said was between source and Splunk receivers?
  • if syslogs, how do you receive them, using one or more Heavy forwarders? have you a Load Balancer?
  • how is connected your storage to Indexers, NAS?



Thank you Giuseppe,

  • Events are received through Http Event Collector from a heavy forwarder. Event was already in the index and the events were already seen from the dashboard.
  • During network outage. Its possible some indexers were not able communicate with index master or peers for a few minutes.
  • all storage to indexers are local disks.
0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...