Solved: What is the best way to reload Windows event log d...

jamesvz84 · ‎03-31-2014

I want to reload Windows event log data from the beginning of time for all hosts and remove all event log data that is currently there. What are the recommended steps to do that?

The current index we are using does not contain all historical event logs, so we want to just cleean it out and re-insert from beginning,

yannK · ‎03-31-2014

To remove events from the index, they are not methods, you have to wait for the data to age.
However you can "hide" the events using the "delete" command, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Indexer/RemovedatafromSplunk

To reindex WinEventLog logs, you can reset a channel counters on an instance:

stop the forwarder,
on splunk 4.* and 5.* delete the counter files in $SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventLog
in addition on splunk 6.*, delete the counter files in $SPLUNK_HOME\var\lib\splunk\modinputs\WinEventLog
restart the forwarder

View solution in original post

yannK · ‎03-31-2014

To remove events from the index, they are not methods, you have to wait for the data to age.
However you can "hide" the events using the "delete" command, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Indexer/RemovedatafromSplunk

To reindex WinEventLog logs, you can reset a channel counters on an instance:

stop the forwarder,
on splunk 4.* and 5.* delete the counter files in $SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventLog
in addition on splunk 6.*, delete the counter files in $SPLUNK_HOME\var\lib\splunk\modinputs\WinEventLog
restart the forwarder

shocko · ‎11-21-2022

This helped me so thanks!

What is the best way to reload Windows event log data?

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?