- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: I have configured input.conf of splunk univers...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured input.conf of splunk universal forwader but logs are receving with a delay of almost one hour.Unable to receive current logs
My inputs.conf are mentioned below.
Make sure these get forwarded
[monitor://C:\Windows\System32\winevt\Logs\Security.evtx]
index=windowlogs
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any reason you're ingesting windows logs like this, by pointing at the evtx files? I think Splunk documentation even explicitely mentions that you shouldn't read the live evtx file that is still being written to.
To ingest windows logs from the local machine, use the [WinEventLog://Security] input stanza. For details: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@aqudoos,
Are the internal logs of the forwarder also delayed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO.Internal logs of forwarder are not delayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check the connectivity between forwarder and indexer? Also check indexing queue in monitoring console.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forwarder was installed on the same server where splunk enterprise was installed for testing purposes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh. Can you check _internal logs for error and check indexing queue in monitoring console?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am receiveing below mentioned error with high frequency.
ERROR TcpInputProc - Message rejected. Received unexpected message of size=174291836 bytes from src=x.x.x.x:12345 in streaming mode. Maximum message size allowed=63412458. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share configuration details of outputs.conf and deploymentclients.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't configured outputs.conf as during installation I enter the deployment server and receiver indexer details.The same purpose will be done in ouput.conf if you didn't enter during installation.Other than input.conf I didn't changed any configuration.
Am I right or missing something.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
