Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog System

santiagn
Path Finder
‎06-23-2017 08:55 AM

hi question regarding the wineventlog system collection.

for some reason splunk is only displaying event code 7036. i have a 2004 code that i am trying to log and set an alert but it is not picking it up for some reason. i see that 7036 is an information type and 2004 is a warning. what can i do to get 2004 to log?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:04 AM

update: im searching Last 30 days and its only logging today if that helps. 2004 event happened 10 days ago so i am not sure if the problem is that splunk is only logging todays events or if it can see any other events

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-23-2017 09:34 AM

please share your inputs stanza for winevenlog system
supposed to be something like that:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:47 AM

i only had disabled = 0 and my index, updated to what you mentioned and still no luck, only showing todays logs.

[WinEventLog://System]
disabled = 0
index=main
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...