Getting Data In

Does anyone know where a heavy forwarder stores events to be sent to a splunk indexer when using Acknowledgement?

kenoski
Path Finder

We are using Splunk 6.2.6.

I am using heavy forwarder at remote sites to forward data to a central indexer.

To make sure data is received we are using the useACK=true attribute.

On one of our sites, the connection is broken between the central indexer, so no forwarding can be completed.

Now the heavy forwarder, which is used locally as a search head is getting handshake timeouts, and prevents all GUI communication.
I would assume it is from failing to communicate to the central indexer.

We have tried to comment out heavy forwarder's outputs.conf file thinking that after a restart it would then be able to communicate....No such luck.

So....When a backlog of events to forward to an indexer builds up in a heavy forwarder, is there some file/directory we can delete to remove the backlog, and restore normal GUI communication?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

By default the Splunk's input queues are stored in Memory, so forwarder crash/shutdown/restart will empty the queue automatically. If you're using a persistence queue, than it could be located in file sytem/disk (http://docs.splunk.com/Documentation/Splunk/6.2.6/Data/Usepersistentqueues)

The issue could be something else. Do you see any specific error in splunkd.log ?

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

By default the Splunk's input queues are stored in Memory, so forwarder crash/shutdown/restart will empty the queue automatically. If you're using a persistence queue, than it could be located in file sytem/disk (http://docs.splunk.com/Documentation/Splunk/6.2.6/Data/Usepersistentqueues)

The issue could be something else. Do you see any specific error in splunkd.log ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...