I am getting data to Splunk Universal Forwarder port through the TCP port. Then the data is forwarded to indexers. What if the server is rebooted, will there be the data loss? If not, how much time can data can be in hold until the server is restarted? What factors should I consider?
Given your updated, the answer is "probably". It all depends on how Cloud Foundry handles the loss of the destination. Because you are TCP (not UDP), the sending side knows when the receiving side is gone. Whether it looks for this or not, and if it does, how it handles this, will depend on the sender. So you need to check out how Cloud Foundry handles this. Most TCP senders do have a queue to handle these situations but it usually is not very big and fills up pretty quickly.
thanks for the reply
You have not given enough description of your topology and software in order for anyone to give you an answer that is worth anything.
I am getting tcp streams of data from clould foundry. My Splunk UF is picking the data trough TCP port and forwarding it to indexers. Does data is lost if Splunk UF is rebooted? or data loss depends on the source architecture(clould foundry)?