SPLUNK forwarder

dejn · ‎11-14-2011

I am wondering how the splunk forwarder agent handles the following scenario.

Let’s say the agent is installed on a windows server and the agent service/application for unknown reason stops. The OS continues to run and therefore log continues to be generated. After a period the agent is up and running again. Will the agent forward events that has been generated while it was down or will it forward logs “on the fly”??

Kate_Lawrence-G · ‎11-14-2011

It depends on your log rotation schedule.

If the log file has continued to simply append while Splunk was stopped the forwarder will pick it up from the last check after it's been started and that data will make it's way to the indexer.

However if the data was moved to a different log during that period or was zipped or otherwise compressed Splunk will likely not pick it (depending on your blacklist settings in input.conf).

SPLUNK forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

SPLUNK forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future