Here's a possible explanation for the interruption some folks are seeing. We observed the same behavior today with our on-prem Splunk heavy-forwarder not getting events from the CrowdStrike Falcon Event Streams API for the past 7 days. We eventually found that the past 7 days of "missing" events were getting pulled into our Splunk Cloud stack where we also had deployed CrowdStrike Falcon Event Streams add-on for Splunk. i.e., we had 2 separate Splunk deployments requesting the same data. It seems that only one API "client" instance would always get the data, and the other left out to dry. When we disabled the input configured on Splunk Cloud, the Splunk on-prem HF started to get the event stream again, collecting all 7 days of "missing" events as well as new events. To enable dual inputs, we plan to configure a separate CrowdStrike API key for the Splunk Cloud stack. I hope this helps others who've seen this issue.
... View more