Hi,
We have Windows 2008 R2 SP1 with splunk 5 installed in Domain network.
We have configured to collect windows "System" event log .
But it suddenly stops collecting windows events when the remote system rebooted. and we cannt get events until the "splunkd" service restarted from the server.
After restarting "splunkd" the server starts get collectiong events. but again stops as soon as the remote server or client rebooted.
The firewall is turned off at both ends.
Thanks ,
Prakash
Hi,
Enabled debug logging level for wmi from link and found out wmi will retry after 5000 seconds Ref : http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/TroubleshootingWMI#Splunk_can.27t... .
and by editiing wmi.conf from C:\Program Files\Splunk\etc\system\local and setting time out values
Thanks
Prakash
make sure that you configured splunk service to start at boot .....
It may be helpful to share any errors that you are seeing in the splunkd logs.
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself
I would recommend using the Splunk on Splunk App in the future which will help you search across all Splunk logs when you have an issue like this.