Is there a comparison done when Windows Event Forw...

GregAston · ‎03-11-2019

If I have a Windows 2008 R2 Server and I need to turn off the Splunk Event forwarder service for a couple of hours and the system is still operational and logging information to the Windows Event Logs, once the service is turned back on will it do a differential check and use timestamps with the current logs the central Indexer has? Are those 2 hours of logs not going to get forwarded properly and must be manually sent to the Indexer or will they get sent in an automated batch once the service comes back online?

When I installed the Windows Event Forwarding service, I noticed it pushed all logs on the source server that was inside the Windows Event logs, so I am hoping it works the same if you turn the service back on, it runs a timestamp or delta check and pushes all missing logs to the Indexer.

nickhills · ‎03-11-2019

As long as you are not using current_only=1 In your inputs for the win event stanzas then it will recover where it left off.

By the sounds of it you did not set this (otherwise it would not have imported historic logs when you installed), but it’s worth checking to make sure it has not been enabled by someone else.

If my comment helps, please give it a thumbs up!

Is there a comparison done when Windows Event Forwarding service is turned back on?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life