I want the following pattern:
1) Read event from High Availability message broker.
2) [Processing goes here]
3) Log event to Splunk HA cluster
4) Receive confirmation that event has been successfully indexed (or otherwise definitely won't be going away)
5) Consume event from HA message broker, move on to next event.
Right now in my understanding there's a hole at (4). I can send the event to a forwarder, but if someone hard-resets the forwarder before it gets into Splunk then I have no way of knowing that's happened unless I use HEC acknowledgement. Is HEC acknowledgement the only way of doing this?
... View more