Getting Data In

Resetting Remote Windows Event collection "starting point"

SplunkTrust
SplunkTrust

While testing some training materials, I created a temporary index and a remote windows event collection input for my own PC.

Then I deleted it and recreated it exactly as it had been. Again, testing docs for training. 😞

But my newly recreated input only grabbed events newer than the last time it indexed it and ignored the 2 or 3 weeks of previous entries. I figured this wasn't too big of a deal, I've reset file monitoring and database monitoring before, but I can't figure out how to reset the remote windows event collections.

I saw this: I tried http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-co...
But when I open the appropriate file in there with an SQLlite DB viewer I only have 8 rows for other inputs, nothing for the one I need to start over.

So, does anyone have any ideas?

1 Solution

SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

View solution in original post

SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

View solution in original post

SplunkTrust
SplunkTrust

Sorry, conversion must have done a number on the formatting.

0 Karma