Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure a Windows Splunk forwarder to pic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in the process of adding the following to an inputs.conf file with the intent of forwarding events from a Windows Event Forwarding Server:
[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
This has prompted a question, though. It is my understanding that the "current_only" value can be used to tell Splunk to either start reading events from the beginning, or only the most current (as in tail -f). If the forwarder service stops for some reason, and events are not forwarded, is there a way to instruct the forwarder to "pick up where it left off" so to speak? Is the forwarder capable of remembering the last event which was forwarded so to start at that point as opposed to either at the beginning or end?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default behavior
The Splunk forwarder always remembers where it left off and restarts from that point for file-based inputs. Each time the forwarder examines a file, it starts from its current file pointer within the file; this file pointer is preserved in the Splunk internal index called the "fishbucket." Stopping or restarting the forwarder will not cause any events to be skipped.
current_only=0 tells Splunk to read all events. This aligns with the default behavior above. current_only=0 is the default setting.
current_only=1 overrides the default behavior. It specifies that Splunk should start collecting the data from the current point in time and ignore older data in the event log. If you stop or restart the Splunk forwarder with this setting, Splunk will probably skip events.
I would not use current_only=1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default behavior
The Splunk forwarder always remembers where it left off and restarts from that point for file-based inputs. Each time the forwarder examines a file, it starts from its current file pointer within the file; this file pointer is preserved in the Splunk internal index called the "fishbucket." Stopping or restarting the forwarder will not cause any events to be skipped.
current_only=0 tells Splunk to read all events. This aligns with the default behavior above. current_only=0 is the default setting.
current_only=1 overrides the default behavior. It specifies that Splunk should start collecting the data from the current point in time and ignore older data in the event log. If you stop or restart the Splunk forwarder with this setting, Splunk will probably skip events.
I would not use current_only=1.
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
