https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510301#M8262 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223950">@Jeronimo317</a>&nbsp;</P><P>what is your setup? Are you trying to forward wineventlog from remote server to splunk using universal forwarder?</P><P>Please make sure you have the following configurations in place</P><UL><LI>open port 9997 on receiving instance</LI><LI>configure outputs.conf on UF to send data to splunk indexer</LI><LI>open network connection (for port 9997) between remote server &amp; splunk instance</LI></UL><P>Please refer below page for more details</P><P><A href="https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise" target="_blank">https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise</A>&nbsp;</P><P>Hope this helps</P> Tue, 21 Jul 2020 21:28:41 GMT anilchaithu 2020-07-21T21:28:41Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510293#M8259 <P>Hi team, the issue that I am currently experiencing is that WinEventLog not sending data to the main index . I am new to Splunk and so far have not been able to figure out the reason. Thoughts?</P> Tue, 21 Jul 2020 21:04:21 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510293#M8259 Jeronimo317 2020-07-21T21:04:21Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510301#M8262 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223950">@Jeronimo317</a>&nbsp;</P><P>what is your setup? Are you trying to forward wineventlog from remote server to splunk using universal forwarder?</P><P>Please make sure you have the following configurations in place</P><UL><LI>open port 9997 on receiving instance</LI><LI>configure outputs.conf on UF to send data to splunk indexer</LI><LI>open network connection (for port 9997) between remote server &amp; splunk instance</LI></UL><P>Please refer below page for more details</P><P><A href="https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise" target="_blank">https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise</A>&nbsp;</P><P>Hope this helps</P> Tue, 21 Jul 2020 21:28:41 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510301#M8262 anilchaithu 2020-07-21T21:28:41Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510416#M8265 <P><SPAN>Are you trying to forward wineventlog from remote server to splunk using universal forwarder? - Yes, and it has been working fine. Suddenly I stopped seeing WinEventLog sending data to the main index. What could be a reason and how can I troubleshoot? Thanks</SPAN></P> Wed, 22 Jul 2020 12:25:01 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510416#M8265 Jeronimo317 2020-07-22T12:25:01Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510422#M8266 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223950">@Jeronimo317</a>,</P><P>which Technical Add-On are you using?</P><P>See in the inputs.conf if there's an index (usually wineventlog).</P><P>Ciao.</P><P>Giuseppe</P> Wed, 22 Jul 2020 12:41:57 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510422#M8266 gcusello 2020-07-22T12:41:57Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510442#M8267 <P>Hi gcusello, I am not sure what do you mean by which Technical Add-on?</P> Wed, 22 Jul 2020 13:27:56 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510442#M8267 Jeronimo317 2020-07-22T13:27:56Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510445#M8268 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223950">@Jeronimo317</a>,</P><P>did you created your own inputs.conf or did you take the Splunk_TA_Windows to take the logs from wineventlog?</P><P>Index is usually assigned in inputs.conf, so you should see in the active inputs.conf what's the index assignment.</P><P>From your answer I suppose that you didn't used the TA but the web gui inputs configuration; if this is your situation, see in the inputs configuration [Settings -- Inputs] what's the index assignment.&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Wed, 22 Jul 2020 13:38:44 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/510445#M8268 gcusello 2020-07-22T13:38:44Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/511096#M8279 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/204579">@anilchaithu</a>&nbsp;, thank you for your help I figured out the issue. Turned out that the index was not specifically set in the input.conf and by default the ingest was going to main as oppose to wineventlog. Seems to be OK now. Thanks again&nbsp;</P> Mon, 27 Jul 2020 12:20:00 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/511096#M8279 Jeronimo317 2020-07-27T12:20:00Z https://community.splunk.com/t5/Reporting/WinEventLog/m-p/511101#M8280 <P>Good!</P><P>If your isse was solved, please accept the answer for the other people of the Community.</P><P>Ciao and Next Time!</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 27 Jul 2020 12:33:32 GMT https://community.splunk.com/t5/Reporting/WinEventLog/m-p/511101#M8280 gcusello 2020-07-27T12:33:32Z