Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder resending event log data

splunkjas1
Path Finder
‎01-12-2018 08:12 AM

If the IP address for a host changes or if it gets a new GUID, would the forwarder resend the entire Windows event log?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-12-2018 09:19 AM

It depends.
If you uninstalled the old forwarder and then reinstalled the new one, it’s quite possible that it will re-read and send all the logs.

If you upgraded the forwarder this should not occurr, even if the ip or guild changes.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-12-2018 09:19 AM

It depends.
If you uninstalled the old forwarder and then reinstalled the new one, it’s quite possible that it will re-read and send all the logs.

If you upgraded the forwarder this should not occurr, even if the ip or guild changes.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-12-2018 09:34 AM

I noted “possible” because depending on your config, it may elect to only send evens which are older than x days, or in the case of windows events, only while the forwarder is running. Neither of these are default config, and have drawbacks.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-12-2018 09:05 AM

Is your forwarder resending event logs again? Has any specific activity was performed on your UF like version upgrade?

0 Karma
Reply
Solved! Jump to solution

splunkjas1
Path Finder
‎01-12-2018 09:08 AM

The forwarders are resending event logs. We upgraded them from 6.4.4 to 6.4.9. Would the upgrade cause logs to be resent?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-12-2018 09:21 AM

It should'nt. How did you do the upgrade (procedure)? Was it it inline with what this Splunk documentation suggests?
https://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/UpgradetheWindowsuniversalforwarder#...

0 Karma
Reply
Solved! Jump to solution

splunkjas1
Path Finder
‎01-12-2018 09:24 AM

I asked the folks who performed the upgrade and they told me they do uninstall the 6.4.4 version before installing 6.4.9. So that's probably what caused the logs to be resent, would you agree?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-12-2018 09:27 AM

Yes. In that case I would say it’s expected behaviour

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

splunkjas1
Path Finder
‎01-12-2018 09:28 AM

Okay, thank you.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-12-2018 09:32 AM

I converted my comment to an answer, so you can accept it if it helped

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...