Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Resetting Remote Windows Event collection "starting point"

Richfez
SplunkTrust
SplunkTrust
‎08-19-2014 01:54 PM

While testing some training materials, I created a temporary index and a remote windows event collection input for my own PC.

Then I deleted it and recreated it exactly as it had been. Again, testing docs for training. 😞

But my newly recreated input only grabbed events newer than the last time it indexed it and ignored the 2 or 3 weeks of previous entries. I figured this wasn't too big of a deal, I've reset file monitoring and database monitoring before, but I can't figure out how to reset the remote windows event collections.

I saw this: I tried http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-co...
But when I open the appropriate file in there with an SQLlite DB viewer I only have 8 rows for other inputs, nothing for the one I need to start over.

So, does anyone have any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎08-20-2014 07:41 AM

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎08-20-2014 07:41 AM

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-16-2014 12:33 PM

Sorry, conversion must have done a number on the formatting.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...