Solved: How does Splunk forwarder handle data after uninst...

bruceclarke · ‎04-12-2016

I have a bunch of forwarder machines that were inadvertently renamed recently. As a result, our forwarder manager no longer recognized the machines in the correct server class and apps were removed from the machine.

One of the apps that was removed forwards data from a file. Since the app was uninstalled and later reinstalled, will the forwarder resend data from that file? Or will it still remember which line was last forwarded and just pick up where it left off?

lguinn2 · ‎04-12-2016

The "file pointer" that tracks how far Splunk has read the input file is stored in the "fishbucket." The fishbucket is stored with the indexes. Unless you have deleted or reset the fishbucket in some way, the forwarder should pick up where it left off in processing the input.

View solution in original post

lguinn2 · ‎04-12-2016

The "file pointer" that tracks how far Splunk has read the input file is stored in the "fishbucket." The fishbucket is stored with the indexes. Unless you have deleted or reset the fishbucket in some way, the forwarder should pick up where it left off in processing the input.

How does Splunk forwarder handle data after uninstalling and reinstalling an app?

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!