Re: How to set Timing/Interval when pulling event ...

vin_ven27 · ‎08-02-2022

We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event.
Currently per check we are getting data real time from WinEventLog. Is there a way that we can change the timing/interval in every 10mins? We already tried:

interval = 600, interval = <cron> , schedule = 600 and schedule = <cron> but doesn't work.

May we know if you have any solution for this?

Please...

gcusello · ‎08-03-2022

Hi @vin_ven27,

You can find the options for a wineventlog input at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf

Anyway, Splunk UF continously takes wineventlogs and send them (by default) every 30 seconds.

If you want, you can change the sending frequency on the outputs.conf.

It's not possible to set a frequency for wineventlog frequency.

Ciao.

Giuseppe

vin_ven27 · ‎08-03-2022

Hi giuseppe,

May I know what parameters I can use in outputs.conf for the frequency setup?

I saw autoLBfrequency and polling_interval but I am not sure if I these is the parameter you are referring to. Please advise... tia

gcusello · ‎08-03-2022

Hi @vin_ven27.,

at https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Routeandfilterdatad#Filter_event_data_... you can find all the outputs.conf parameterts.

Between them see batchTimeout:

batchTimeout = <integer>
* How often, in seconds, to send out pipeline data.
* HTTP OUT batch pipeline data before sending out.
* If the wait time is greater than 'batchTimeout', HEC sends the data 
  out immediately.
* Default: 30

But, why do you want to have data at fixed intervals instead continously?

Ciao.

Giuseppe

vin_ven27 · ‎08-03-2022

Hi Giuseppe,

Thank you for asking. Actually the client had CPU problem in windows server end and they seeing that this is the cause of Universal Forwarder as per they initial checks. So this is our work around just to refrain of getting the data real time.

We believe (somehow) that it will resolve the problem by changing interval in every 30mins. However, we have also another approach which are the whitelist/blacklist but it seems like it is not working for us. We think that it is because the task name event is not a part of the filtering suggestion for whitelist/blacklist. The suggested events are EventID, Category, message, Opcode etc which are not available in the _raw events. This is related to this link: https://community.splunk.com/t5/Getting-Data-In/How-to-setup-to-whitelist-and-blacklist-in-inputs-co...

gcusello · ‎08-03-2022

Hi @vin_ven27,

I encountered this kind of problem and I solved with Splunk Support, so I hint to open a ticket.

usually the problem is related to the connection with the DNS for url resolution not to the frequency of data send.

Ciao.

Giuseppe

vin_ven27 · ‎08-03-2022

Will do. thanks buddy. Appreciated your help.

Ciao.

Alvin

gcusello · ‎08-03-2022

Hi @vin_ven27,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to set timing/interval when pulling event in WinEventLog using universal forwarder?

inputs.conf

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!