https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84865#M17652 <P>We've not been able to get this to work reliably, even splitting the collection up into groups of 50 ips, so are switching to a lightweight forwarder approach.</P> Mon, 15 Nov 2010 18:35:46 GMT andiih 2010-11-15T18:35:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84861#M17648 <P>I'm trying to configure splunk to collect system and security logs via WMI from workstations. I don't know who is at work and who is away, and its a fairly large estate (512 ip addresses) of which maybe only 50% may be switch on at any one time. They are all mostly off at night.</P> <P>Looking at the settings stanza for WMI.CONF I see </P> <PRE> [settings] * The settings stanza specifies various runtime parameters. * The entire stanza and every parameter within it is optional. * If the stanza is missing, Splunk assumes system defaults. initial_backoff = * How long to wait (in seconds) before retrying the connection to the WMI provider after the first connection error. * If connection errors continue, the wait time doubles until it reaches max_backoff. * Defaults to 5. max_backoff = * Maximum time (in seconds) to attempt reconnect. * Defaults to 20. max_retries_at_max_backoff = * Try to reconnect this many times once max_backoff is reached. * If reconnection fails after max_retries, give up forever (until restart). * Defaults to 2. </PRE> <P>Which (if I understand it correctly) means it will retry each IP as follows</P> <PRE> 5s 10s 20s 20s 20s give up forever. </PRE> <P>Which is obviously useless, as any machine that is off overnight will be given up on forever. Am I reading this right ? Is there any way around it ?</P> Fri, 05 Nov 2010 22:13:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84861#M17648 andiih 2010-11-05T22:13:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84862#M17649 <P>I think your logic is sound. Hence if you set </P> <PRE><CODE>max_retries_at_max_backoff = 10000 </CODE></PRE> <P>you should be fine..</P> Sat, 06 Nov 2010 06:51:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84862#M17649 Genti 2010-11-06T06:51:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84863#M17650 <P>not sure if there is a max amount that you should use, but if the docs do not say, i take it there is not.</P> Sat, 06 Nov 2010 06:51:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84863#M17650 Genti 2010-11-06T06:51:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84864#M17651 <P>Will this wait for 10000 backoff limits before trying the next IP address ? Or are the requests sent concurrently ?</P> Tue, 09 Nov 2010 01:59:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84864#M17651 andiih 2010-11-09T01:59:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84865#M17652 <P>We've not been able to get this to work reliably, even splitting the collection up into groups of 50 ips, so are switching to a lightweight forwarder approach.</P> Mon, 15 Nov 2010 18:35:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-collect-windows-system-security-logs/m-p/84865#M17652 andiih 2010-11-15T18:35:46Z