Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog System

santiagn
Path Finder
‎06-23-2017 08:55 AM

hi question regarding the wineventlog system collection.

for some reason splunk is only displaying event code 7036. i have a 2004 code that i am trying to log and set an alert but it is not picking it up for some reason. i see that 7036 is an information type and 2004 is a warning. what can i do to get 2004 to log?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:04 AM

update: im searching Last 30 days and its only logging today if that helps. 2004 event happened 10 days ago so i am not sure if the problem is that splunk is only logging todays events or if it can see any other events

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-23-2017 09:34 AM

please share your inputs stanza for winevenlog system
supposed to be something like that:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:47 AM

i only had disabled = 0 and my index, updated to what you mentioned and still no luck, only showing todays logs.

[WinEventLog://System]
disabled = 0
index=main
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...