Solved: UFs new pointer after restart

hectorvp · ‎09-25-2020

If I gracefully shutdown the UF, it will send all logs from output queue and from internal parsing queue.

Suppose I restart the UF after 1min, will it start sending logs from logs file where he had left before shutdown???

Or will it start sending new logs which are getting appended independent of where had left off.

If in such scenarios logs are getting dropped, is there any way to detect how many such logs were dropped?

What may happen if UF is crashed, obviously it will drop queue logs but from where he would start once he is up and running??

richgalloway · ‎09-25-2020

When the UF starts, it resumes reading log files from where it left off.

If the UF crashes, data read and not sent is lost unless indexer acknowledgment is used.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-25-2020

When the UF starts, it resumes reading log files from where it left off.

If the UF crashes, data read and not sent is lost unless indexer acknowledgment is used.

---
If this reply helps you, Karma would be appreciated.

hectorvp · ‎09-26-2020

@richgalloway

Then if UF crashes and we restore it by some means and again UF is up and running ,although UF dropped events which was read but then from where he would start reading new events from the file??

Again would UF start from where he had left off??

richgalloway · ‎09-26-2020

The UF will start from the last file position it saved.

---
If this reply helps you, Karma would be appreciated.

UFs new pointer after restart

indexer

other

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life