Getting Data In

How can I configure Splunk Forwarder to NOT index historical WinEvents?

Splunk Employee
Splunk Employee

I intend to install Splunk as a forwarder on my Windows boxes, but I only want Splunk to monitor for the very latest, most recent Windows events being logged now in real-time and I DO NOT want it to also index all of the historical events that may be logged in the Event Viewer previously.

The reason is, when it starts indexing the historical Win Events, it causes the CPU to spike up initially, and I cannot allow that to happen when I deploy it on a new Windows server.

Can I configure Splunk on Windows to only index real-time data coming in now and avoid causing the CPU to spike upon initial deployment of Splunk?

1 Solution

Splunk Employee
Splunk Employee

current_only: http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata

Specify whether to index starting at earliest or most recent event

Use these settings to specify which in chronological order you want to index the events, from oldest->newest or newest->oldest, and whether you want to index all pre-existing events, or just new events.

start_from = oldest current_only = 1 start_from: By default, Splunk starts with the oldest data and indexes forward. We don't recommend changing this setting, as it results in a highly inefficient indexing process. current_only: This option allows you to only index new events, from the moment Splunk was started. It acts like a tail to a file.

View solution in original post

Path Finder

What happens if you stop splunk for say one hour and start it again. Will it then continue from where it left off or start from the most current once more, missing one hour of event logs?

Motivator

currentonly seems intended for initial data setup only, to be the "don't backfill" option. It would make no sense if it also didn't ingest queued data during a reboot. If that were the case there would be a HUGE need for a "currentonlybutkeepdataduringreboots" option, which clearly doesn't exist. Also I think it would go against the paradigm of elegant software development to have currentonly not ingest queues after reboots. Also that option of ingesting queues after reboots or not would definitely be specified in a different .conf file and not inputs.conf.

I don't have the official answer for you, but, yes, current_only will definitely still ingest data queues after reboots or short periods of starting and stopping. Long term? Like turning Splunk off for a week? I don't know.

0 Karma

Splunk Employee
Splunk Employee

current_only: http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata

Specify whether to index starting at earliest or most recent event

Use these settings to specify which in chronological order you want to index the events, from oldest->newest or newest->oldest, and whether you want to index all pre-existing events, or just new events.

start_from = oldest current_only = 1 start_from: By default, Splunk starts with the oldest data and indexes forward. We don't recommend changing this setting, as it results in a highly inefficient indexing process. current_only: This option allows you to only index new events, from the moment Splunk was started. It acts like a tail to a file.

View solution in original post

Path Finder

Hi gkanapathy,

i am dealing with a imilar issue, i am trying to ingest webserver logs and the historical log data in webserver is huge and brought splunk down when i tried to ingest. i want splunk UF to start from the latest or the day before's log file and ingest the new log files that are created in future

Example:
exclude logs till march 27th.
ingest march 28th.log
march 29th.log
march 30th.log
march 31th.log
april 1st.log

.
.
.
.
.
and all log files post march 28th ( normal splunk UF behaviour)

can i use current_only=1 setting or any other suggested recommendation.

Hope i was clear enough. Thanks in advance

0 Karma