https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210562#M41485 <P>Yes, I believe that is as intended. From the spec:</P> <PRE><CODE>current_only = [0|1] * If set to 1, the input will only acquire events that arrive while Splunk is running and the input is enabled. Data which was stored in the Windows Event Log while splunk was not running will not be read. This means that there will be gaps in data if splunk is restarted, or experiences downtime. </CODE></PRE> Wed, 03 Aug 2016 14:27:39 GMT twinspop 2016-08-03T14:27:39Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210561#M41484 <P>Here is my <CODE>inputs.conf</CODE> stanza from Splunk_TA_windows</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 1 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist = 4656,4658,4663,5156 index = wineventlog renderXml=false </CODE></PRE> <P>When we rolled out Splunk we set <CODE>current_only=1</CODE>, because we didn't want all of the old events ingested from all of our servers. This morning I was looking for some server reboot information and went looking for event code 4608 ("Windows is starting up"), but it was nowhere in Splunk for any server ever. I logged on to a particular server which I knew had been rebooted today and found 4608 was logged on the server.</P> <P>So, it appears that <CODE>current_only=1</CODE> applies to every time Splunk starts, not just the first time like I thought. That means that during a server reboot we do not collect any of the server events that occur before the Spunk service comes back online. I found another post where someone else experienced a similar thing.</P> <P>I changed the setting from <CODE>1</CODE> to <CODE>0</CODE> on a lightly used server to test this theory and rebooted it. This time 4608 was collected and I think (famous last words) that Splunk only ingested events in the gap.</P> <P>Is that the actual way in which the parameter is intended to work?</P> Tue, 29 Sep 2020 10:30:43 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210561#M41484 lycollicott 2020-09-29T10:30:43Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210562#M41485 <P>Yes, I believe that is as intended. From the spec:</P> <PRE><CODE>current_only = [0|1] * If set to 1, the input will only acquire events that arrive while Splunk is running and the input is enabled. Data which was stored in the Windows Event Log while splunk was not running will not be read. This means that there will be gaps in data if splunk is restarted, or experiences downtime. </CODE></PRE> Wed, 03 Aug 2016 14:27:39 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210562#M41485 twinspop 2016-08-03T14:27:39Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210563#M41486 <P>LOL, how did I miss that in everything I read this morning? I think I better go to lunch before I hurt myself!</P> Wed, 03 Aug 2016 14:46:36 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210563#M41486 lycollicott 2016-08-03T14:46:36Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210564#M41487 <P>hah, we've all been there!</P> Wed, 03 Aug 2016 14:50:42 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-inputs-Why-does-current-only-1-skip-server-reboot/m-p/210564#M41487 twinspop 2016-08-03T14:50:42Z