Hi guys,
Here is my issue:
I have 2 rsyslog servers that are in production in redundant setup. Other servers forward same logs to these servers at the same time. Due to UDP drops, log files are slightly different on both servers.
I have Forwarder setup on only one of them, lets call it Server A, now I need to retire Server A and replace it with Server B.
My question here is, when Server B comes up, will Splunk start indexing all the log files as if it was a new server ? If yes, how can I avoid duplicate indexed data in ? Is there are Splunk best practice for such situation ? I know splunk forwarder remembers where it is was left while monitoring files, is there a way to transfer that monitoring offset data to the new server so once Server B comes up it starts monitoring from where it left off ?
Thanks
... View more