- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows 2008 Server Event Viewer Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Services Logs" section. What should the Splunk inputs.conf look like for the event logs under the "Microsoft" --> "Windows" folder. Specifically I am looking for the "PrintService --> Operational", but if anybody has any of these other logs being indexed the base input should be the same
**%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-**PrintService%4Operational.evtx
I tried the following with no success...
[WinEventLog:Microsoft:Windows:PrintService Operational]
[WinEventLog:PrintService Operational]
Thanks in advance...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is stanza required
[WinEventLog:Microsoft-Windows-PrintService/Operational]
Thanks to Ellen Hom with Splunk Support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using "Splunk Forwarder" on the target Machine????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The add data interface will list these out as well. Even if you intended to deploy to a forwarder, you can still create the stanza as a sample on one Splunk to make sure the syntax is correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is stanza required
[WinEventLog:Microsoft-Windows-PrintService/Operational]
Thanks to Ellen Hom with Splunk Support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dont worry managed to get it working with this -
[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0
after some restarting if the forwarders 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is that all you need to have in your input.conf file ? or do you need somthing somewhere else ? I need to monitor that particular event log however im getting nothing currently, I did merge that event log with the system event log which did sort or work but not as I need it to.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
