Getting Data In

UFs new pointer after restart

hectorvp
Communicator

If I gracefully shutdown the UF, it will send all logs from output queue and from internal parsing queue.

Suppose I restart the UF after 1min, will it start sending logs from logs file where he had left before shutdown???  

Or will it start sending new logs which are getting appended independent of where had left off.

 

If in such scenarios logs are getting dropped, is there any way to detect how many such logs were dropped? 

What may happen if UF is crashed, obviously it will drop queue logs but from where he would start once he is up and running??

Labels (3)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

When the UF starts, it resumes reading log files from where it left off.

If the UF crashes, data read and not sent is lost unless indexer acknowledgment is used.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

When the UF starts, it resumes reading log files from where it left off.

If the UF crashes, data read and not sent is lost unless indexer acknowledgment is used.

---
If this reply helps you, Karma would be appreciated.

hectorvp
Communicator

@richgalloway 

Then if UF crashes and we restore it by some means and again UF is up and running ,although UF dropped events which was read but then from where he would start reading new events from the file??

Again would UF start from where he had left off??

0 Karma

richgalloway
SplunkTrust
SplunkTrust
The UF will start from the last file position it saved.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...