Hi @hectorvp .. if you use the indexer acknowledgement feature, as per my understanding, there will be no data loss in-flight(dropped data), as it uses the "handshake" logic's. (with this handshake logic, if the UF got crashed, when its resolved and comes up again, indexer will know from where it should read. so the events inside the queues will be re-read and re-processed again). I have worked on few financial projects in which the client managers will ask these questions, i have explained them as well. In practical scenarios, 1) the critical data, the clients wont agree to be sent to splunk altogether, thats good. 2). so, the lesser-critical data, that can be sent to splunk. 3). the data loss when UF down / indexer down is very rare case. lets say around 5 out of 100 cases. and when it happens, those 5 cases, the logs can be re-read. 4) the value of the logs is not that much critical, so we need not worry much on this "worst case" scenarios. (PS - i have given around 350+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")
... View more