Hi!
I'm pretty new to Splunk and at the moment, I'm trying to set up a centralized repository for all my Windows events via WMI. So far this works fine.
Only issue I have is that every time I add a server, splunk retrieves all the events on the Windows Server - even old ones. This leads to a license violation.
Can I somehow set a filter that when I add a new server, have it start with the event collection only from the moment I add the server so I don't get all the "historical" data?
Thanks!!
Limit how far back your Forwader will look for older data to process:
$SPLUNK_HOME/etc/apps/MyApp/default/inputs.conf:
[monitor://<myPath>]
ignoreOlderThan = 1d
When onboarding new data from an extensive archive, avoid forwarding data older than your retention goal, and if volume/day is huge, consider limiting it to 1d until you have been online for the length of your retention goal, then set it to your retention goal. The default for this value is 90 days. It is very possible to forward 90 days worth of data all in 1 day and blow away your license.
Thanks for your answer!
I just don't know where to put the "ignoreolderthan" key in the case of an WMI configuration.
Giving more details in advance:
I added the WMI host via the webinterface. So in the inputs.conf file I just have the line:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
The whole config seems to be in the wmi.conf file.
I tried to put the key in the inputs.conf file below the [script://xxxx] stanza as well as in the wmi.conf file below the [WMI:xxx] stanza.
When restarting splunk both options return a "Invalid key in stanza..." Error message.
One question if I understand it right:
When I use
current_only = 1
in the wmi.conf, does it really mean that:
The events are collected normally. Than I stop splunk for 5 minutes and restart it. The logs occurring in this 5 minutes are not retrieved.
Or will he start from his last checkpoint (get the events of the 5 minutes he was stopped)?
Thanks!!!
Yes, the other option is to use current_only=1
and yes, it will skip any events between when you shut down Splunk until when you restart it. But the "damage" on your existing forwarders is already done so you should just leave them alone and use current_only=1
for the new forwarders. I do see a dilemma, though, if you are using DS: if you change this on DS, it will deploy to all forwarders and restart Splunk to make it take effect. The only way I can think of to not have a gap is to install a second exact-clone instance of Splunk on the existing forwarders and start it just before you shut down original instance to make this change. After you restart the first one and shut down the second one, you will have some doubly-forwarded events that were created by the overlapped time that both were forwarding so, for a while, always use dedup
until the overlapped data ages out:
... | dedup _raw
OK, I understand what you mean, but I guess this is getting to complex.
If there is no simple switch like the "ignoreolderthan" for WMI I guess we will look for some other solution.
Thanks for your help!!