Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog System

santiagn
Path Finder
‎06-23-2017 08:55 AM

hi question regarding the wineventlog system collection.

for some reason splunk is only displaying event code 7036. i have a 2004 code that i am trying to log and set an alert but it is not picking it up for some reason. i see that 7036 is an information type and 2004 is a warning. what can i do to get 2004 to log?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

santiagn
Path Finder
‎06-23-2017 10:08 AM

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:04 AM

update: im searching Last 30 days and its only logging today if that helps. 2004 event happened 10 days ago so i am not sure if the problem is that splunk is only logging todays events or if it can see any other events

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-23-2017 09:34 AM

please share your inputs stanza for winevenlog system
supposed to be something like that:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

0 Karma
Reply
Solved! Jump to solution

santiagn
Path Finder
‎06-23-2017 09:47 AM

i only had disabled = 0 and my index, updated to what you mentioned and still no luck, only showing todays logs.

[WinEventLog://System]
disabled = 0
index=main
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...