Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a comparison done when Windows Event Forwarding service is turned back on?

GregAston
New Member
‎03-11-2019 09:49 AM

If I have a Windows 2008 R2 Server and I need to turn off the Splunk Event forwarder service for a couple of hours and the system is still operational and logging information to the Windows Event Logs, once the service is turned back on will it do a differential check and use timestamps with the current logs the central Indexer has? Are those 2 hours of logs not going to get forwarded properly and must be manually sent to the Indexer or will they get sent in an automated batch once the service comes back online?

When I installed the Windows Event Forwarding service, I noticed it pushed all logs on the source server that was inside the Windows Event logs, so I am hoping it works the same if you turn the service back on, it runs a timestamp or delta check and pushes all missing logs to the Indexer.

0 Karma
Reply

nickhills
Ultra Champion
‎03-11-2019 10:36 AM

As long as you are not using current_only=1 In your inputs for the win event stanzas then it will recover where it left off.

By the sounds of it you did not set this (otherwise it would not have imported historic logs when you installed), but it’s worth checking to make sure it has not been enabled by someone else.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...