https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74940#M15313 <P>I believe the "splunk clean all" would work for my issue, but the forwarder was installed remotely using psexec and I'm unable log into the console. When I try to run "splunk clean all" through psexec it freezes and does not appear to do anything. Do you know where onthe forwarder this information is stored? Seems I could manually wipe the file instead.</P> Wed, 26 Jun 2013 19:00:13 GMT kmcconnell 2013-06-26T19:00:13Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74938#M15311 <P>I'm trying to pull in all the existing events from the Windows logs for a machine (application, security, &amp; system). I thought I had the inputs.conf setup correctly, but it is only pulling in events from the time that I pushed the inputs.conf file out (from the deployment server). Below is the inputs.conf section:</P> <P>[WinEventLog:Application]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index=emn_investigation</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> index=emn_investigation</P> <P>[WinEventLog:System]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index=emn_investigation</P> <P>Am I missing a setting? Do I need to remove the current_only = 0 setting? This data is going into a new index so I can delete the data completely if I need to try something else.</P> Mon, 28 Sep 2020 14:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74938#M15311 kmcconnell 2020-09-28T14:10:13Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74939#M15312 <P>Did you by any chance configure this forwarders inputs multiple times so that it may have been monitoring and so it remembers the former position?</P> <P>You can clean out the forwarders memory of where it was in the event long by running the command "splunk clean all".</P> <P>Omid</P> Tue, 25 Jun 2013 20:52:06 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74939#M15312 okrabbe_splunk 2013-06-25T20:52:06Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74940#M15313 <P>I believe the "splunk clean all" would work for my issue, but the forwarder was installed remotely using psexec and I'm unable log into the console. When I try to run "splunk clean all" through psexec it freezes and does not appear to do anything. Do you know where onthe forwarder this information is stored? Seems I could manually wipe the file instead.</P> Wed, 26 Jun 2013 19:00:13 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74940#M15313 kmcconnell 2013-06-26T19:00:13Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74941#M15314 <P>You could try deleting the files in the fishbucket directory located at $SPLUNK_home/var/lib/splunk/fishbucket</P> <P>Be sure the forwarder is stopped.</P> Wed, 26 Jun 2013 20:53:22 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-not-pulling-in-past-Window-events/m-p/74941#M15314 okrabbe_splunk 2013-06-26T20:53:22Z