I am tearing my hair out trying to figure this one out... I had a powershell input on my UFs (both Win10 and Server 16) that was working fine until last week, when the events mysteriously stopped coming into my indexer. Here's the stanza from inputs.conf: [powershell://MPComputerStatus] script = get-mpcomputerstatus schedule = 5 sourcetype = Windows:MPComputerStatus (note that the schedule of 5 is just for debugging currently; normally it is set to 300) Everything appears to be functioning normally on the UF side - I look at splunk-powershell.ps1.log and I see the same lines from before and after the issue started: 11-11-2021...INFO Start executing script=get-mpcomputerstatus for stanza=MPComputerStatus 11-11-2021...INFO End of executing script..., execution time=0.0149976 seconds However, the events do not show up under sourcetype=windows:mpcomputerstatus anymore. All of the Windows event log events are still being forwarded. Here's what I have tried: updating Splunk and the forwarders from 8.1.2 to 8.2.3 running the UF service as both a domain service account (the previous setting) and Local System changing the logging config to DEBUG in log.cfg, log-cmdline.cfg Also, I found it odd that all of my Win10 workstations stopped on the same day, and my Server 2016 machine stopped on a different day. Any ideas? ... View more

I have a few endpoints with forwarders that need to be disconnected from the network for periods of time (up to a month in some instances). Since we forward Windows Event Log data (for security audits) to our indexer on the network, I do not want to lose any data and would like the forwarders to send all of the missing data to the indexer once they rejoin the network. I have been reading about acknowledgement and persistent queues, but it seems that the forwarder still keeps some data in memory. I would like to eliminate or at least severely minimize the amount of audit data in memory that will be lost. Can I combine the acknowledgement and persistent queue settings to achieve this? Can I set useACK=true and set maxQueueSize to something super small like maxQueueSize=1kb, then set the persistentQueueSize to an appropriate amount to cover the amount of time the forwarder will be disconnected? Is there a minimum limit to maxQueueSize? ... View more