Getting Data In

Splunk forwarders failing to send some of the Windows application Event logs for some devices

Gayathirikuppus
New Member

Why are Splunk forwarders failing to send some of the Windows application Event logs for some devices? We are using Splunk_TA_windows add on for ingesting the window event viewer logs into splunk. We do not observer any Error in the internal log but found some Warning Message as mentioned below:

3/19/18
11:33:47.270 PM
03-19-2018 23:33:47.270 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 23:33:47 2018). Context: source::WMI:Services|host::XXXXXX|WMI:Services|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:50:29.897 PM
03-19-2018 22:50:29.897 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:50:29 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:48:36.030 PM
03-19-2018 22:48:36.030 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:48:35 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:45:09.527 PM
03-19-2018 22:45:09.527 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:45:09 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd

Please find the inputs.conf:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
_meta=fromserver::Y

Is there any other configuration that i needed to check? What am i missing here to check?

Tags (1)
0 Karma

Gayathirikuppus
New Member

We have some many eventcode but only few of them are getting ingested into splunk

0 Karma

adonio
SplunkTrust
SplunkTrust

on one hand, your inputs refer to the forwarder monitor, on the other hand, your error suggests WMI inputs.
might have some conflict there, can you verify the entire inputs.conf? do you have inputs.conf in /etc/system/local as well?

0 Karma

Gayathirikuppus
New Member

Yeah the inputs.conf that I have shared is from local folder. Where do I need to check for WMI inputs for the discrepancy.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!