Hello,
we have problems with some log files which are randomly don't get indexed for a couple of hours. There is no log rotation during this time period and sometimes even no restart of the splunk forwarder is neccessary to start again with indexing.
Output splunkd.log filtered for affected "audit_log":
02-12-2019 12:09:57.358 +0100 DEBUG ChunkedLBProcessor - Chunked Line Breaker Processing has been disabled for for sourcetype::audit_log
02-12-2019 12:09:57.358 +0100 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::/xxx/audit.log|host::xxx|Haudit_log|339419"
02-12-2019 06:33:16.783 +0100 INFO S2SSender - Abandoning channel with code=2, conf="source::/xxx/audit.log|host::xxx|audit_log|339419", unique_id=422585, last_touched=1549948674, last_touched_asctime="Tue Feb 12 06:17:54 2019", age=922281, ttl=300000
02-12-2019 06:17:54.985 +0100 INFO Metrics - group=per_sourcetype_thruput, series="audit_log", kbps=0.06303521503133032, eps=0.5483843194729626, kb=1.9541015625, ev=17, avg_age=0.6470588235294118, max_age=5
02-12-2019 06:17:54.503 +0100 DEBUG TcpOutputProc - Pushed eventId=61 on chanId=422585 to back of tcp client (tcp output) queue. source:source::/xxx/audit.log|host::xxx|audit_log|339419
... View more