Getting Data In

How to configure the WMI event collection start date so when I add a new Windows server, Splunk doesn't retrieve historical data?

ewicher
New Member

Hi!

I'm pretty new to Splunk and at the moment, I'm trying to set up a centralized repository for all my Windows events via WMI. So far this works fine.
Only issue I have is that every time I add a server, splunk retrieves all the events on the Windows Server - even old ones. This leads to a license violation.
Can I somehow set a filter that when I add a new server, have it start with the event collection only from the moment I add the server so I don't get all the "historical" data?

Thanks!!

Tags (4)
0 Karma

woodcock
Esteemed Legend

Limit how far back your Forwader will look for older data to process:

$SPLUNK_HOME/etc/apps/MyApp/default/inputs.conf:
[monitor://<myPath>]
ignoreOlderThan = 1d

When onboarding new data from an extensive archive, avoid forwarding data older than your retention goal, and if volume/day is huge, consider limiting it to 1d until you have been online for the length of your retention goal, then set it to your retention goal. The default for this value is 90 days. It is very possible to forward 90 days worth of data all in 1 day and blow away your license.

0 Karma

ewicher
New Member

Thanks for your answer!
I just don't know where to put the "ignoreolderthan" key in the case of an WMI configuration.

Giving more details in advance:
I added the WMI host via the webinterface. So in the inputs.conf file I just have the line:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
The whole config seems to be in the wmi.conf file.

I tried to put the key in the inputs.conf file below the [script://xxxx] stanza as well as in the wmi.conf file below the [WMI:xxx] stanza.
When restarting splunk both options return a "Invalid key in stanza..." Error message.

One question if I understand it right:
When I use
current_only = 1
in the wmi.conf, does it really mean that:
The events are collected normally. Than I stop splunk for 5 minutes and restart it. The logs occurring in this 5 minutes are not retrieved.
Or will he start from his last checkpoint (get the events of the 5 minutes he was stopped)?

Thanks!!!

0 Karma

woodcock
Esteemed Legend

Yes, the other option is to use current_only=1 and yes, it will skip any events between when you shut down Splunk until when you restart it. But the "damage" on your existing forwarders is already done so you should just leave them alone and use current_only=1 for the new forwarders. I do see a dilemma, though, if you are using DS: if you change this on DS, it will deploy to all forwarders and restart Splunk to make it take effect. The only way I can think of to not have a gap is to install a second exact-clone instance of Splunk on the existing forwarders and start it just before you shut down original instance to make this change. After you restart the first one and shut down the second one, you will have some doubly-forwarded events that were created by the overlapped time that both were forwarding so, for a while, always use dedup until the overlapped data ages out:

... | dedup _raw
0 Karma

ewicher
New Member

OK, I understand what you mean, but I guess this is getting to complex.
If there is no simple switch like the "ignoreolderthan" for WMI I guess we will look for some other solution.

Thanks for your help!!

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...