Getting Data In

How to avoid data loss on HF on restart

AnilPujar
Path Finder

I have service now add on, db connect in Heavy Forwarder. So i cant use multiple instances of HF to avoid data duplication and licensing. My both apps Service Now and DB connect are in real time sync, also I need to do changes in props & transforms frequently. so in this case how to avoid data loss. Just using indexer ack will resolve?

esix_splunk
Splunk Employee
Splunk Employee

This is addressed partially in 8.0.1 and coming in 7.2.10, adding and removing inputs for HEC will no longer require a restart!

0 Karma

FrankVl
Ultra Champion

I took the liberty of changing your post to a new question, instead of an answer to https://answers.splunk.com/answers/674341/missing-of-events-and-flooding-of-data-in-heavy-fo.html

To better understand your situation: why do you have frequent props/transforms changes that require a restart? Does this HF do other tasks, besides the SN and DBX apps (e.g. routing data from other forwarders or so)?

0 Karma

sahilyahiya
Explorer

Hi Frank,
Since I am also expecting an answer to a similar question, please find the details below.

When we add a new HEC via inputs.conf in HF, we have a setting restartSplunkd = true in Serverclass associated with HEC app. So whenever we add a new HEC, we need to restart the HF's that is used to collect the HTTP inputs.

Can we use restartSplunkd = false while adding a new inputs.conf ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...