Solved: Splunk UF Backlog

johann2017 · ‎11-27-2019

Hey everyone, quick UF question here... If a UF stops for whatever reason then comes back on later on, will the UF send the backlogs it missed while the service went offline?

gcusello · ‎11-27-2019

Hi @johann2017,
yes: if connection with Indexer is interrupted, UF locally caches logs and send them as soon as connection is restored.

If it's the UF itself to stop, when it restarts it ingest all the logs from the last ingested.

There's only one situation when logs are lost and it's when I use an Heavy Forwarder to ingest syslogs but it's out of scope of your question.

Ciao.
Giuseppe

View solution in original post

richgalloway · ‎11-27-2019

Yes, UFs will pick up where they left off.

---
If this reply helps you, Karma would be appreciated.

johann2017 · ‎11-27-2019

Thank you rich!

gcusello · ‎11-27-2019

Hi @johann2017,
yes: if connection with Indexer is interrupted, UF locally caches logs and send them as soon as connection is restored.

If it's the UF itself to stop, when it restarts it ingest all the logs from the last ingested.

There's only one situation when logs are lost and it's when I use an Heavy Forwarder to ingest syslogs but it's out of scope of your question.

Ciao.
Giuseppe

Splunk UF Backlog

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3