You can probably search the internal splunk logs on the forwarder for warn or error log levels. And probably the same on the indexer. For example, looking for connection errors from the forwarder to the indexer.
But do you have acknowledgement turned on, so if the forwarder sends an event to the indexer it waits for an ack before clearing it from the queue?
Anything similar about the missing events that might differentiate them? Different log files? Different sourcetypes? etc?
... View more