- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk forwarders failing to send some of the Wind...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk forwarders failing to send some of the Windows application Event logs for some devices
Why are Splunk forwarders failing to send some of the Windows application Event logs for some devices? We are using Splunk_TA_windows add on for ingesting the window event viewer logs into splunk. We do not observer any Error in the internal log but found some Warning Message as mentioned below:
3/19/18
11:33:47.270 PM
03-19-2018 23:33:47.270 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 23:33:47 2018). Context: source::WMI:Services|host::XXXXXX|WMI:Services|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:50:29.897 PM
03-19-2018 22:50:29.897 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:50:29 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:48:36.030 PM
03-19-2018 22:48:36.030 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:48:35 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:45:09.527 PM
03-19-2018 22:45:09.527 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:45:09 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
Please find the inputs.conf:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
_meta=fromserver::Y
Is there any other configuration that i needed to check? What am i missing here to check?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have some many eventcode but only few of them are getting ingested into splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
on one hand, your inputs refer to the forwarder monitor, on the other hand, your error suggests WMI inputs.
might have some conflict there, can you verify the entire inputs.conf? do you have inputs.conf in /etc/system/local as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah the inputs.conf that I have shared is from local folder. Where do I need to check for WMI inputs for the discrepancy.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
