Hello,
On a particular Linux server in our system, we run a Splunk forwarder and monitor a particular log file there. A service on that machine posts an XML message to the log once every 5 seconds. Due to the contents of these messages containing precision numbers, likely each one is unique.
This client (splunkforwarder) moves these events to our heavy forwarder, then from there to our indexer. Our indexer dutifully captures these events, but occasionally, one gets lost somewhere and is not indexed. The raw log on the Linux server does indeed contain the event.
The lost event was in the middle of the raw log on the server, so log rollover didn't play a part?
I don't have anything in props or transforms that might be triggered by any contents of these xml messages....
any ideas?
thanks so much.
michael
↧