Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index previous log from remote windows host

katalinali
Path Finder
‎11-05-2010 05:22 AM

I install splunk 4.1.5 and input windows eventlog from remote host, but I find splunk just index data from date of installation. I have modified apps\search\local\inputs.conf with [WMI:WinEventLog:System] as start_from = oldest && current_only = 0. But splunk still don't index the previous log. Can anyone give some suggestions?

Tags (1)
0 Karma
Reply

hulahoop
Splunk Employee
Splunk Employee
‎11-05-2010 11:32 PM

Your input should be [WinEventLog:System] not [WMI:WinEventLog:System] if you are running Splunk as a light or regular forwarder.

If you want to use WMI, then the entry for system event logs is:

[WMI:AppAndSys]
server = foo, bar
interval = 10
event_log_file = System
disabled = 0

http://www.splunk.com/base/Documentation/latest/Admin/MonitorWMIdata

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...