Re: Data could not be written:

bogdan_nicolesc · ‎12-27-2021

I have searched high and low for an answer here and on web, but seems that i can't find a suitable answer.

Did anyone got this error while tring to get data in?

Data could not be written: /nobody/search/inputs/WinEventLog://System/start_from: oldest

I played a bit with System log of windows and at first i used the "Local event log collection" but then changed my mind and changed it to "Remote event log collections".

But yet again, first time, using "Local event log collection" i got older data too, second time using "Remote event log collections" i get only newer data.

What can i do to reset it? In what file should i look?

Thank you.

bogdan_nicolesc · ‎12-27-2021

Did all that and i get the same error.

scelikok · ‎12-27-2021

Hi @bogdan_nicolesc,

In order to reset the checkpoint you should delete below file on Windows host and restart Universal Forwarder service.

C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System

If this reply helps you an upvote and "Accept as Solution" is appreciated.

bogdan_nicolesc · ‎12-27-2021

Would a pc reboot would do?

Data could not be written:

indexer

monitor

syslog

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor