Getting Data In

Resetting Remote Windows Event collection "starting point"

Richfez
SplunkTrust
SplunkTrust

While testing some training materials, I created a temporary index and a remote windows event collection input for my own PC.

Then I deleted it and recreated it exactly as it had been. Again, testing docs for training. 😞

But my newly recreated input only grabbed events newer than the last time it indexed it and ignored the 2 or 3 weeks of previous entries. I figured this wasn't too big of a deal, I've reset file monitoring and database monitoring before, but I can't figure out how to reset the remote windows event collections.

I saw this: I tried http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-co...
But when I open the appropriate file in there with an SQLlite DB viewer I only have 8 rows for other inputs, nothing for the one I need to start over.

So, does anyone have any ideas?

1 Solution

Richfez
SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

Richfez
SplunkTrust
SplunkTrust

Sorry, conversion must have done a number on the formatting.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...