topic How splunk UF handle windows EventLog rotation? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-splunk-UF-handle-windows-EventLog-rotation/m-p/445672#M77540 <P>We have a file sever which generates about 7G windows Event Log a day. Windows Event Log is rotated as soon as the size reach to 200MB. We want to use splunk UF to get the logs, but we have follow concern:<BR /> <STRONG>Is it possible that splunk UF cannot get the log right before the rotation happened ?</STRONG><BR /> (we don't know how UF handle event logs, we just assume UF might not get the one right before the rotation before it is moved to backup so fast)<BR /> We only need to know what happen in the general situation but not in the case such like UF service is down or Indexer server is down.)</P> Mon, 01 Jul 2019 00:44:31 GMT xiyangyang 2019-07-01T00:44:31Z How splunk UF handle windows EventLog rotation? https://community.splunk.com/t5/Getting-Data-In/How-splunk-UF-handle-windows-EventLog-rotation/m-p/445672#M77540 <P>We have a file sever which generates about 7G windows Event Log a day. Windows Event Log is rotated as soon as the size reach to 200MB. We want to use splunk UF to get the logs, but we have follow concern:<BR /> <STRONG>Is it possible that splunk UF cannot get the log right before the rotation happened ?</STRONG><BR /> (we don't know how UF handle event logs, we just assume UF might not get the one right before the rotation before it is moved to backup so fast)<BR /> We only need to know what happen in the general situation but not in the case such like UF service is down or Indexer server is down.)</P> Mon, 01 Jul 2019 00:44:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-splunk-UF-handle-windows-EventLog-rotation/m-p/445672#M77540 xiyangyang 2019-07-01T00:44:31Z Re: How splunk UF handle windows EventLog rotation? https://community.splunk.com/t5/Getting-Data-In/How-splunk-UF-handle-windows-EventLog-rotation/m-p/445673#M77541 <P>If you use the WinEventLog monitor (<A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor</A>) it shouldn't care about the log rolling. It doesn't actually care about the log file itself as it monitors the specific event log channel rather than the .evtx file.</P> Mon, 01 Jul 2019 16:54:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-splunk-UF-handle-windows-EventLog-rotation/m-p/445673#M77541 mdsnmss 2019-07-01T16:54:26Z