Hi, I have a simple setup of a Splunk universal forwarder on a windows server forwarding data to a single Linux server acting as Splunk indexer/search head.
Sometimes the connection to this server can drop from the windows box and when it is restored, a large number of messages not sent when the connection had dropped get forwarded.
How can I empty the Splunk universal forwarder messages queue via the command line just before the connection is reinstated, so that any unsent messages are dropped?
To prevent the forwarder from queuing events and blocking output, you can add the blockOnCloning setting to outputs.conf. On a typical unmanaged Windows forwarder, modify C:\Program Files\SplunkUniversalForwarder\etc\sytem\local\outputs.conf and restart the "SplunkForwarder Service" service.
[tcpout]
blockOnCloning = false
This setting will result in dropped/lost/missing events any time the forwarder is unable to connect to the receiver and output queues are filled. Implement with caution!
To prevent the forwarder from queuing events and blocking output, you can add the blockOnCloning setting to outputs.conf. On a typical unmanaged Windows forwarder, modify C:\Program Files\SplunkUniversalForwarder\etc\sytem\local\outputs.conf and restart the "SplunkForwarder Service" service.
[tcpout]
blockOnCloning = false
This setting will result in dropped/lost/missing events any time the forwarder is unable to connect to the receiver and output queues are filled. Implement with caution!