Why are Splunk forwarders failing to send some of the Windows application Event logs for some devices? We are using Splunk_TA_windows add on for ingesting the window event viewer logs into splunk. We do not observer any Error in the internal log but found some Warning Message as mentioned below:
3/19/18
11:33:47.270 PM
03-19-2018 23:33:47.270 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 23:33:47 2018). Context: source::WMI:Services|host::XXXXXX|WMI:Services|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:50:29.897 PM
03-19-2018 22:50:29.897 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:50:29 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:48:36.030 PM
03-19-2018 22:48:36.030 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:48:35 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:45:09.527 PM
03-19-2018 22:45:09.527 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:45:09 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
Please find the inputs.conf:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
_meta=fromserver::Y
Is there any other configuration that i needed to check? What am i missing here to check?
We have some many eventcode but only few of them are getting ingested into splunk
on one hand, your inputs refer to the forwarder monitor, on the other hand, your error suggests WMI inputs.
might have some conflict there, can you verify the entire inputs.conf? do you have inputs.conf in /etc/system/local as well?
Yeah the inputs.conf that I have shared is from local folder. Where do I need to check for WMI inputs for the discrepancy.