Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing events after network disruption

thol
Explorer
‎09-26-2019 05:21 PM

We have a index cluster with 10+ indexers running on Splunk version 6.6.1. Some of the indexed events suddenly went missing after a network disruption (dns outage) for few minutes. There are no error messages in splunkd.log indicating any issues, replication factor and search factor are ok and all indexers are up.

Events are missing in at least 2 indexes and they are recent events. All concerned indexes have sufficient retention time and the buckets haven't moved to cold storage yet.

What would be the possible reason for the issue? is there a way to recover the missing events?
Appreciate any pointers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2019 11:43 PM

Hi thol,
some additional information:

  • how do you receive events, by syslog or by Universal Forwarder?
  • if syslog, the network problem you said was between source and Splunk receivers?
  • if syslogs, how do you receive them, using one or more Heavy forwarders? have you a Load Balancer?
  • how is connected your storage to Indexers, NAS?

Bye.
Giuseppe

Reply

thol
Explorer
‎09-27-2019 10:25 AM

Thank you Giuseppe,

  • Events are received through Http Event Collector from a heavy forwarder. Event was already in the index and the events were already seen from the dashboard.
  • During network outage. Its possible some indexers were not able communicate with index master or peers for a few minutes.
  • all storage to indexers are local disks.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...