How did logs from a heavy forwarder get indexed wh...

Madhan45 · ‎04-03-2016

Splunk was running on a heavy forwarder during the time period 00:00 to 00:20. Related logs also have been found in splunkd.log & splunkd_stderr.log.
I got few logs from the HF at 23:00. How is it possible?
If Splunk is not running, how did these logs get indexed?

jmallorquin · ‎04-04-2016

Hi,

If the logs has timestamp, splunk index in the timestamp of the log. So if the log was create at 23:00, its normal that you have events in that time. Also review the timezone in which you are index the events.

Hope i help you.

Madhan45 · ‎04-04-2016

The event generated time and index time both are same. there was no lagging in event. splunk was running only for the time period 00:00 00:20 after thet till now i didn't start splunk. then how did those logs get index?

jmallorquin · ‎04-04-2016

Open the events of the log and check if are there events from 23:00

Hope i help you

How did logs from a heavy forwarder get indexed when Splunk was not running?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation