Solved: Universal Forwarder - Start collection without ind...

zindain24 · ‎06-20-2012

Hello, we are looking to collect Windows (Application, Security, and System) logs from 14 Domain Controllers. By default the Universal Forwarder begins indexing the logs from the systems earliest event to the most recent. Is there a way we can tell the forwarder to start collection of new events, and not index the old log files?

Thanks!

ysouchon · ‎06-20-2012

Via inputs.conf (local): current_only = 1

or

Via wmi.conf (remote) : current_only = 1

View solution in original post

criazuelo_splun · ‎10-21-2019

This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.

zindain24 · ‎06-20-2012

Thanks ysouchon, added the following to inputs.conf:

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 1
index = indexname

ysouchon · ‎06-20-2012

Via inputs.conf (local): current_only = 1

or

Via wmi.conf (remote) : current_only = 1

criazuelo_splun · ‎10-21-2019

This solution didn't work with a UF v 7.3.2 and Windows Server 2012R2 standard.

Universal Forwarder - Start collection without indexing old logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation