Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Impact of indexer going down for sometime.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Impact of indexer going down for sometime.
Hello All,
We have a server on which indexer and search head deployed. furthermore we are getting logs from UF and HF's. due to some requirement we might require some downtime for the server on which Indexer and search head has been deployed.
Will there be any log loss due to this server downtime? If yes how long logs will be lost there?
If UF cache logs locally then for how log UF cache the logs, if there any dependency on cache memory available on UF server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
Thanks for your response, i would like to understand how would stopping UF and HF will prevent log loss?
Waiting for your response.
Regards,
Satyam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Obviously it depends on the types of logs you are monitoring:
- if its static files, UF/HF will save a checkpoint of where they stop reading, and will continue whenever you start them again
- if is tcp/udp or syslog-like, you need to adopt other strategies like setting up a distributed Splunk environment with a cluster of Indexers or a Syslog server to receive the tcp/udp logs and write them to files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The best way to avoid logs being lost would be to stop the UFs and HFs before taking down the Indexers.
Another way woulbe be to disable the inputs.conf, by creating/updating a configuration like this:
[perfmon:*] disabled = true
[WinEventLog:]
disabled = true
[monitor://<path>]
disabled = true
------------
If this was helpful, some karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
