We have on four Linux SLES10_64 Servers Splunk 3.4.4. Forwarders installed. Usually our production logs produce a constant stream of at least 30 events/minute during the night time. Due to performance issues with these production boxes, we recently switched those Forwarders into LWF mode, to reduce their footprint. Now we found out that during the night time, when the data stream on the logs drop down to app. 30 events/minute, the LWFs don´t forward any data to our Indexer until at 8am the logrotate sets in. During the day time the LWFs work fine until app. 11pm plus minus 2 hours.
Is this a bug in the Splunk 3.4.4. LWF? Or could it be a licensing issue? The logs of these LWFs don´t show anything.