Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows 2008 Server Event Viewer Logs

kbecker
Communicator
‎08-30-2010 10:34 PM

In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Services Logs" section. What should the Splunk inputs.conf look like for the event logs under the "Microsoft" --> "Windows" folder. Specifically I am looking for the "PrintService --> Operational", but if anybody has any of these other logs being indexed the base input should be the same

**%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-**PrintService%4Operational.evtx

I tried the following with no success... 

[WinEventLog:Microsoft:Windows:PrintService Operational]
[WinEventLog:PrintService Operational]

Thanks in advance...

Reply
1 Solution
Solved! Jump to solution
Solution

kbecker
Communicator
‎09-03-2010 09:52 PM

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

View solution in original post

Reply
Solved! Jump to solution

patelpin
New Member
‎06-03-2013 08:27 AM

Are you using "Splunk Forwarder" on the target Machine????

0 Karma
Reply
Solved! Jump to solution

cervelli
Splunk Employee
Splunk Employee
‎10-13-2010 07:45 PM

The add data interface will list these out as well. Even if you intended to deploy to a forwarder, you can still create the stanza as a sample on one Splunk to make sure the syntax is correct.

0 Karma
Reply
Solved! Jump to solution
Solution

kbecker
Communicator
‎09-03-2010 09:52 PM

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎04-09-2014 06:52 AM

dont worry managed to get it working with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

after some restarting if the forwarders 🙂

0 Karma
Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎04-09-2014 01:51 AM

So is that all you need to have in your input.conf file ? or do you need somthing somewhere else ? I need to monitor that particular event log however im getting nothing currently, I did merge that event log with the system event log which did sort or work but not as I need it to.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...