Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I have configured input.conf of splunk universal forwader but logs are receving with a delay of almost one hour.Unable to receive current logs

aqudoos
Explorer
‎04-12-2018 10:20 PM

My inputs.conf are mentioned below.

Make sure these get forwarded

[monitor://C:\Windows\System32\winevt\Logs\Security.evtx]
index=windowlogs

Please help.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-13-2018 05:43 AM

Any reason you're ingesting windows logs like this, by pointing at the evtx files? I think Splunk documentation even explicitely mentions that you shouldn't read the live evtx file that is still being written to.

To ingest windows logs from the local machine, use the [WinEventLog://Security] input stanza. For details: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata

0 Karma
Reply

deepashri_123
Motivator
‎04-12-2018 10:51 PM

Hey@aqudoos,

Are the internal logs of the forwarder also delayed?

0 Karma
Reply

aqudoos
Explorer
‎04-12-2018 11:13 PM

NO.Internal logs of forwarder are not delayed.

0 Karma
Reply

p_gurav
Champion
‎04-12-2018 10:33 PM

Can you check the connectivity between forwarder and indexer? Also check indexing queue in monitoring console.

0 Karma
Reply

aqudoos
Explorer
‎04-12-2018 11:16 PM

Forwarder was installed on the same server where splunk enterprise was installed for testing purposes.

0 Karma
Reply

p_gurav
Champion
‎04-12-2018 11:20 PM

oh. Can you check _internal logs for error and check indexing queue in monitoring console?

0 Karma
Reply

aqudoos
Explorer
‎04-12-2018 11:42 PM

I am receiveing below mentioned error with high frequency.

ERROR TcpInputProc - Message rejected. Received unexpected message of size=174291836 bytes from src=x.x.x.x:12345 in streaming mode. Maximum message size allowed=63412458. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

0 Karma
Reply

p_gurav
Champion
‎04-13-2018 05:01 AM

Can you share configuration details of outputs.conf and deploymentclients.conf?

0 Karma
Reply

aqudoos
Explorer
‎04-13-2018 05:06 AM

I haven't configured outputs.conf as during installation I enter the deployment server and receiver indexer details.The same purpose will be done in ouput.conf if you didn't enter during installation.Other than input.conf I didn't changed any configuration.

Am I right or missing something.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top