Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a comparison done when Windows Event Forwarding service is turned back on?

GregAston
New Member
‎03-11-2019 09:49 AM

If I have a Windows 2008 R2 Server and I need to turn off the Splunk Event forwarder service for a couple of hours and the system is still operational and logging information to the Windows Event Logs, once the service is turned back on will it do a differential check and use timestamps with the current logs the central Indexer has? Are those 2 hours of logs not going to get forwarded properly and must be manually sent to the Indexer or will they get sent in an automated batch once the service comes back online?

When I installed the Windows Event Forwarding service, I noticed it pushed all logs on the source server that was inside the Windows Event logs, so I am hoping it works the same if you turn the service back on, it runs a timestamp or delta check and pushes all missing logs to the Indexer.

0 Karma
Reply

nickhills
Ultra Champion
‎03-11-2019 10:36 AM

As long as you are not using current_only=1 In your inputs for the win event stanzas then it will recover where it left off.

By the sounds of it you did not set this (otherwise it would not have imported historic logs when you installed), but it’s worth checking to make sure it has not been enabled by someone else.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...