Missing events after network disruption

thol · ‎09-26-2019

We have a index cluster with 10+ indexers running on Splunk version 6.6.1. Some of the indexed events suddenly went missing after a network disruption (dns outage) for few minutes. There are no error messages in splunkd.log indicating any issues, replication factor and search factor are ok and all indexers are up.

Events are missing in at least 2 indexes and they are recent events. All concerned indexes have sufficient retention time and the buckets haven't moved to cold storage yet.

What would be the possible reason for the issue? is there a way to recover the missing events?
Appreciate any pointers.

gcusello · ‎09-26-2019

Hi thol,
some additional information:

how do you receive events, by syslog or by Universal Forwarder?
if syslog, the network problem you said was between source and Splunk receivers?
if syslogs, how do you receive them, using one or more Heavy forwarders? have you a Load Balancer?
how is connected your storage to Indexers, NAS?

Bye.
Giuseppe

thol · ‎09-27-2019

Thank you Giuseppe,

Events are received through Http Event Collector from a heavy forwarder. Event was already in the index and the events were already seen from the dashboard.
During network outage. Its possible some indexers were not able communicate with index master or peers for a few minutes.
all storage to indexers are local disks.

Missing events after network disruption

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio