If you use Splunk Enterprise or SplunkCloud, you can guard against loss of data when forwarding by enabling the indexer acknowledgment capability. With indexer acknowledgment, the forwarder will resend any data that the receiver does not acknowledge as "received".
You enable indexer acknowledgment on the forwarder, in the outputs.conf file.
See how acknowledgement works.
See how acknowledgement failure is handled.
However if the forwarder is restarted/stopped while waiting for indexer acknowledgment, in most of the cases unacknowledged data is not resend upon forwarder restart/start. That is because indexer acknowledgment is just an agreement between the output processor and the target server.
There are 4 major input types:
- File inputs(monitor/batch mode)
- Modular inputs
- Network inputs(TCP/UDP)
- HTTP inputs(http receiver endpoints/http event collector)
Only the file input in the monitor mode can resend data if the forwarder is restarted/stopped while waiting for indexer acknowledgment.
Acknowledgement is sent back to the forwarder after replication factor is met. That means for rep factor 3, source indexer waits on acknowledgement from 2 replication target indexers.
Inputs on forwarders are not aware of the indexer acknowledgement process.
Latency increases when the target server is not an indexer as the intermediate tier will wait for acknowledgement before acknowledging back to edge forwarder.
For more information, see the outputs.conf spec file.
