Solved: Removing unsent messages of Splunk universal forwa...

manasbellani · ‎03-04-2023

Hi, I have a simple setup of a Splunk universal forwarder on a windows server forwarding data to a single Linux server acting as Splunk indexer/search head.

Sometimes the connection to this server can drop from the windows box and when it is restored, a large number of messages not sent when the connection had dropped get forwarded.

How can I empty the Splunk universal forwarder messages queue via the command line just before the connection is reinstated, so that any unsent messages are dropped?

tscroggins · ‎03-05-2023

@manasbellani

To prevent the forwarder from queuing events and blocking output, you can add the blockOnCloning setting to outputs.conf. On a typical unmanaged Windows forwarder, modify C:\Program Files\SplunkUniversalForwarder\etc\sytem\local\outputs.conf and restart the "SplunkForwarder Service" service.

[tcpout]
blockOnCloning = false

This setting will result in dropped/lost/missing events any time the forwarder is unable to connect to the receiver and output queues are filled. Implement with caution!

View solution in original post

tscroggins · ‎03-05-2023

@manasbellani

To prevent the forwarder from queuing events and blocking output, you can add the blockOnCloning setting to outputs.conf. On a typical unmanaged Windows forwarder, modify C:\Program Files\SplunkUniversalForwarder\etc\sytem\local\outputs.conf and restart the "SplunkForwarder Service" service.

[tcpout]
blockOnCloning = false

This setting will result in dropped/lost/missing events any time the forwarder is unable to connect to the receiver and output queues are filled. Implement with caution!

Removing unsent messages of Splunk universal forwarder

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life