I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!
I restart splunk and indexing resumes...
I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!
Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"
Thanks
... View more