topic Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder in Getting Data In

How to set timing/interval when pulling event in WinEventLog using universal forwarder?

vin_ven27 — Wed, 03 Aug 2022 14:41:52 GMT

We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event.
Currently per check we are getting data real time from WinEventLog. Is there a way that we can change the timing/interval in every 10mins? We already tried:

interval = 600, interval = <cron> , schedule = 600 and schedule = <cron> but doesn't work.

May we know if you have any solution for this?

Please...

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Wed, 03 Aug 2022 07:13:57 GMT

Hi @vin_ven27,

You can find the options for a wineventlog input at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf

Anyway, Splunk UF continously takes wineventlogs and send them (by default) every 30 seconds.

If you want, you can change the sending frequency on the outputs.conf.

It's not possible to set a frequency for wineventlog frequency.

Ciao.

Giuseppe

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

vin_ven27 — Wed, 03 Aug 2022 07:53:56 GMT

Hi giuseppe,

May I know what parameters I can use in outputs.conf for the frequency setup?

I saw autoLBfrequency and polling_interval but I am not sure if I these is the parameter you are referring to. Please advise... tia

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Wed, 03 Aug 2022 08:26:50 GMT

Hi @vin_ven27.,

at https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues you can find all the outputs.conf parameterts.

Between them see batchTimeout:

batchTimeout = <integer> * How often, in seconds, to send out pipeline data. * HTTP OUT batch pipeline data before sending out. * If the wait time is greater than 'batchTimeout', HEC sends the data out immediately. * Default: 30

But, why do you want to have data at fixed intervals instead continously?

Ciao.

Giuseppe

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

vin_ven27 — Wed, 03 Aug 2022 09:49:44 GMT

Hi Giuseppe,

Thank you for asking. Actually the client had CPU problem in windows server end and they seeing that this is the cause of Universal Forwarder as per they initial checks. So this is our work around just to refrain of getting the data real time.

We believe (somehow) that it will resolve the problem by changing interval in every 30mins. However, we have also another approach which are the whitelist/blacklist but it seems like it is not working for us. We think that it is because the task name event is not a part of the filtering suggestion for whitelist/blacklist. The suggested events are EventID, Category, message, Opcode etc which are not available in the _raw events. This is related to this link: https://community.splunk.com/t5/Getting-Data-In/How-to-setup-to-whitelist-and-blacklist-in-inputs-conf-to-pulll/m-p/608021#M105525

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Wed, 03 Aug 2022 09:55:29 GMT

Hi @vin_ven27,

I encountered this kind of problem and I solved with Splunk Support, so I hint to open a ticket.

usually the problem is related to the connection with the DNS for url resolution not to the frequency of data send.

Ciao.

Giuseppe

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

vin_ven27 — Wed, 03 Aug 2022 10:02:57 GMT

Will do. thanks buddy. Appreciated your help.

Ciao.

Alvin

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Wed, 03 Aug 2022 15:49:47 GMT

Hi @vin_ven27,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

hazem — Mon, 14 Oct 2024 08:24:58 GMT

Hi @gcusello

what about reading log from application log files? is it continuously monitoring or can we make it interval?

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Mon, 14 Oct 2024 08:38:52 GMT

Hi @hazem ,

it's usually continouslòy monitored every 30 seconds, but you can cheange this frequency, even fi I'didn't do it.

Ciao.

Giuseppe

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

hazem — Mon, 14 Oct 2024 08:50:20 GMT

Hi @gcusello

could you please provide me with the stanza to change the interval required to read logs from the log file?

,EX MSSQL- ERROR.log file

Re: How to set Timing/Interval when pulling event in WinEventLog using Universal Forwarder

gcusello — Mon, 14 Oct 2024 09:01:05 GMT

Hi @hazem ,

now I don't find the parameter, also because I try to avoid to change it, the default value usually is the best solution.

Ciao.

giuseppe