https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79450#M16290 <P>This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard. </P> Mon, 21 Oct 2019 07:46:12 GMT criazuelo_splun 2019-10-21T07:46:12Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79447#M16287 <P>Hello, we are looking to collect Windows (Application, Security, and System) logs from 14 Domain Controllers. By default the Universal Forwarder begins indexing the logs from the systems earliest event to the most recent. Is there a way we can tell the forwarder to start collection of new events, and not index the old log files? </P> <P>Thanks!</P> Wed, 20 Jun 2012 13:01:52 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79447#M16287 zindain24 2012-06-20T13:01:52Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79448#M16288 <P>Via inputs.conf (local): current_only = 1</P> <P>or</P> <P>Via wmi.conf (remote) : current_only = 1</P> Wed, 20 Jun 2012 13:23:02 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79448#M16288 ysouchon 2012-06-20T13:23:02Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79449#M16289 <P>Thanks ysouchon, added the following to inputs.conf:</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 1<BR /> index = indexname</P> <P>[WinEventLog:System]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 1<BR /> index = indexname</P> <P>[WinEventLog:Application]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 1<BR /> index = indexname</P> Mon, 28 Sep 2020 11:58:00 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79449#M16289 zindain24 2020-09-28T11:58:00Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79450#M16290 <P>This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard. </P> Mon, 21 Oct 2019 07:46:12 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79450#M16290 criazuelo_splun 2019-10-21T07:46:12Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79451#M16291 <P>This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.</P> Mon, 21 Oct 2019 07:47:56 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Start-collection-without-indexing-old-logs/m-p/79451#M16291 criazuelo_splun 2019-10-21T07:47:56Z