Re: How to avoid data loss on HF on restart

AnilPujar · ‎11-07-2018

I have service now add on, db connect in Heavy Forwarder. So i cant use multiple instances of HF to avoid data duplication and licensing. My both apps Service Now and DB connect are in real time sync, also I need to do changes in props & transforms frequently. so in this case how to avoid data loss. Just using indexer ack will resolve?

esix_splunk · ‎01-27-2020

This is addressed partially in 8.0.1 and coming in 7.2.10, adding and removing inputs for HEC will no longer require a restart!

FrankVl · ‎11-08-2018

I took the liberty of changing your post to a new question, instead of an answer to https://answers.splunk.com/answers/674341/missing-of-events-and-flooding-of-data-in-heavy-fo.html

To better understand your situation: why do you have frequent props/transforms changes that require a restart? Does this HF do other tasks, besides the SN and DBX apps (e.g. routing data from other forwarders or so)?

sahilyahiya · ‎01-27-2020

Hi Frank,
Since I am also expecting an answer to a similar question, please find the details below.

When we add a new HEC via inputs.conf in HF, we have a setting restartSplunkd = true in Serverclass associated with HEC app. So whenever we add a new HEC, we need to restart the HF's that is used to collect the HTTP inputs.

Can we use restartSplunkd = false while adding a new inputs.conf ?

How to avoid data loss on HF on restart

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann