The PAM cluster was recently restarted as part of regular maintenance. After the cluster was restarted, Splunk stopped receiving session log messages from appliances in the secondary site.
Privileged Access Manager, 4.1.x & 4.2.0
Session logs are stored in a database table local to each appliance. This issue was caused due to a combination of how logstash tracks session log messages and how the session log table is handled during a cluster start.
The issue will be resolved as DE618128 in the 4.2.1 release. To get the logs flowing to Splunk again, please open a support case and reference this KB for an engineer to provide a workaround.