Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows 2008 Server Event Viewer Logs

kbecker
Communicator
‎08-30-2010 10:34 PM

In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Services Logs" section. What should the Splunk inputs.conf look like for the event logs under the "Microsoft" --> "Windows" folder. Specifically I am looking for the "PrintService --> Operational", but if anybody has any of these other logs being indexed the base input should be the same

**%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-**PrintService%4Operational.evtx

I tried the following with no success... 

[WinEventLog:Microsoft:Windows:PrintService Operational]
[WinEventLog:PrintService Operational]

Thanks in advance...

Reply
1 Solution
Solved! Jump to solution
Solution

kbecker
Communicator
‎09-03-2010 09:52 PM

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

View solution in original post

Reply
Solved! Jump to solution

patelpin
New Member
‎06-03-2013 08:27 AM

Are you using "Splunk Forwarder" on the target Machine????

0 Karma
Reply
Solved! Jump to solution

cervelli
Splunk Employee
Splunk Employee
‎10-13-2010 07:45 PM

The add data interface will list these out as well. Even if you intended to deploy to a forwarder, you can still create the stanza as a sample on one Splunk to make sure the syntax is correct.

0 Karma
Reply
Solved! Jump to solution
Solution

kbecker
Communicator
‎09-03-2010 09:52 PM

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎04-09-2014 06:52 AM

dont worry managed to get it working with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

after some restarting if the forwarders 🙂

0 Karma
Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎04-09-2014 01:51 AM

So is that all you need to have in your input.conf file ? or do you need somthing somewhere else ? I need to monitor that particular event log however im getting nothing currently, I did merge that event log with the system event log which did sort or work but not as I need it to.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top