Splunk Enterprise Version: 9.2.0.1

OpenShift Version: 4.14.30

We used to have Openshift Event logs coming in under sourcetype openshift_events under index=openshift_generic_logs

However, starting Sept 29, we suddenly did not receive any logs from that index and sourcetype.

The Splunkforwarders are still running and we did not do any changes to the configuration.

Here is the addon.conf that we have:

004-addon.conf
[general]
# addons can be run in parallel with agents
addon = true


[input.kubernetes_events]

# disable collecting kubernetes events
disabled = false

# override type
type = openshift_events

# specify Splunk index
index =

# (obsolete, depends on kubernetes timeout)
# Set the timeout for how long request to watch events going to hang reading.
# eventsWatchTimeout = 30m

# (obsolete, depends on kubernetes timeout)
# Ignore events last seen later that this duration.
# eventsTTL = 12h

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# exclude managed fields from the metadata
excludeManagedFields = true


[input.kubernetes_watch::pods]

# disable events
disabled = false

# Set the timeout for how often watch request should refresh the whole list
refresh = 10m

apiVersion = v1
kind = pod
namespace =

# override type
type = openshift_objects

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# exclude managed fields from the metadata
excludeManagedFields = true

Apologies if I'm missing something obvious here.

Thank you!