Solved: Does a universal forwarder's persistent queue exis...

dflodstrom · ‎08-10-2016

According to this document: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Usepersistentqueues

The in-memory data can get lost if a crash occurs. Similarly, data that is in the parsing or indexing pipeline but that has not yet been written to disk can get lost in the event of a crash.

This only refers to a 'crash'. Does Splunk write the 500K of cached data to the persistent queue in the event of a clean shutdown of the forwarder or the machine?

jonathan_cooper · ‎08-10-2016

Yes, part of the shutdown of the service is to wait for all queues to finish. This is why Splunkd can take longer to restart at times, you can watch this happening in the logs.

View solution in original post

jonathan_cooper · ‎08-10-2016

Yes, part of the shutdown of the service is to wait for all queues to finish. This is why Splunkd can take longer to restart at times, you can watch this happening in the logs.

dflodstrom · ‎08-10-2016

Excellent. Thanks, Cooper! We're thinking about installing UFs on laptops and this was one of our concerns.

Does a universal forwarder's persistent queue exist after a reboot?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...