I am wondering how the splunk forwarder agent handles the following scenario.
Let’s say the agent is installed on a windows server and the agent service/application for unknown reason stops. The OS continues to run and therefore log continues to be generated. After a period the agent is up and running again. Will the agent forward events that has been generated while it was down or will it forward logs “on the fly”??