Solved: Re: Events on Heavy Forwarder not available on Sea...

timrich66 · ‎09-16-2020

This issue is primarily related to events ingested via the IMAP Mailbox App

We are running a distributed environment with a HF, 3x indexer and 3x search head (accessed via a VIP).

The install has been carried out as per the README.txt instructions for a distributed environment.

Some events are only appearing when searched for on the HF. They do not appear when searched for on the SH's.

The results are mixed in that some email events do not appear at all on the SH's and some events may or may not appear. That is a search on HF returns 11 events. The same search on SH returns 8 events.

As always, thanks very much for assistance.

timrich66 · ‎09-24-2020

This issue was caused by the setting 'indexAndForward' in outputs.conf causing events to be dropped when the queues were too busy.

The 'indexAndForward' stanza was set to false and the events are now all available via the SH.

View solution in original post

timrich66 · ‎09-24-2020

This issue was caused by the setting 'indexAndForward' in outputs.conf causing events to be dropped when the queues were too busy.

The 'indexAndForward' stanza was set to false and the events are now all available via the SH.

isoutamo · ‎09-16-2020

So you have installed this app to the one HF only and outputs.conf points to your indexers?
Are your indexers and SHs on clusters or are those individuals?
r. Ismo

timrich66 · ‎09-16-2020

Hi @isoutamo

Yes, $splunkhome/system/local/outputs.conf points to indexers.

indexers and SHs are clustered

Events on Heavy Forwarder not available on Search Head - IMAP Mailbox

heavy forwarder

indexer

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!