Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to set timing/interval when pulling event in WinEventLog using universal forwarder?

vin_ven27
Explorer
‎08-02-2022 11:48 PM

We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event.
Currently per check we are getting data real time from WinEventLog. Is there a way that we can change the timing/interval in every 10mins? We already tried:

interval = 600, interval = <cron> , schedule = 600 and schedule = <cron> but doesn't work. 

May we know if you have any solution for this?

Please...

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 12:13 AM

Hi @vin_ven27,

You can find the options for a wineventlog input at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf

Anyway, Splunk UF continously takes wineventlogs and send them (by default) every  30 seconds.

If you want, you can change the sending frequency on the outputs.conf.

It's not possible to set a frequency for wineventlog frequency.

Ciao.

Giuseppe

0 Karma
Reply

hazem
Path Finder
‎10-14-2024 01:24 AM

Hi @gcusello 

what about reading log from application log files? is it continuously monitoring or can we make it interval?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 01:38 AM

Hi @hazem ,

it's usually continouslòy monitored every 30 seconds, but you can cheange this frequency, even fi I'didn't do it.

Ciao.

Giuseppe

0 Karma
Reply

hazem
Path Finder
‎10-14-2024 01:50 AM

Hi @gcusello 

could you please provide me with the stanza to change the interval required to read logs from the log file?

 

,EX MSSQL-  ERROR.log file 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 02:01 AM

Hi @hazem ,

now I don't find the parameter, also because I try to avoid to change it, the default value usually is the best solution.

Ciao.

giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 12:53 AM

Hi giuseppe,

May I know what parameters I can use in outputs.conf for the frequency setup?

I saw autoLBfrequency and polling_interval but I am not sure if I these is the parameter you are referring to. Please advise... tia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 01:26 AM

Hi @vin_ven27.,

at https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Routeandfilterdatad#Filter_event_data_... you can find all the outputs.conf parameterts.

Between them see batchTimeout:

batchTimeout = <integer>
* How often, in seconds, to send out pipeline data.
* HTTP OUT batch pipeline data before sending out.
* If the wait time is greater than 'batchTimeout', HEC sends the data 
  out immediately.
* Default: 30

But, why do you want to have data at fixed intervals instead continously?

Ciao.

Giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 02:49 AM

Hi Giuseppe,

Thank you for asking. Actually the client had CPU problem in windows server end and they seeing that this is the cause of Universal Forwarder as per they initial checks. So this is our work around just to refrain of getting the data real time. 

We believe (somehow) that it will resolve the problem by changing interval in every 30mins. However, we have also another approach which are the whitelist/blacklist but it seems like it is not working for us. We think that it is because the task name event is not a part  of the filtering suggestion for whitelist/blacklist. The suggested events are EventID, Category, message,  Opcode etc which are not available in the _raw events. This is related to this link: https://community.splunk.com/t5/Getting-Data-In/How-to-setup-to-whitelist-and-blacklist-in-inputs-co...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 02:55 AM

Hi @vin_ven27,

I encountered this kind of problem and I solved with Splunk Support, so I hint to open a ticket.

usually the problem is related to the connection with the DNS for url resolution not to the frequency of data send.

Ciao.

Giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 03:02 AM

Will do. thanks buddy. Appreciated your help.

 

Ciao.

Alvin

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 08:49 AM

Hi @vin_ven27,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...