Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Event Log reduction after patching?

Splunk_user77
New Member
‎08-26-2022 06:13 AM

Good morning.

We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows patching occurred in July of 2022. We are down by approximately 10%, maybe a little less than that. We have noted that the xml wineventlogs appears to be the only index affected.

I'm concerned because this could indicate:

  1. Patching broke logging on the windows systems and we aren't getting everything we used to or should
  2. Patching made logging more efficient and we are getting the same or better/more data with less overall size
  3. Something else could be broken within Splunk itself and this is the only indication

We opened an on-demand case and they found nothing wrong. We opened a support case and they told us what we could see for ourselves in the cloud monitoring console. We've continued to search and investigate, and our working theory is that patching affected the logging. We now need to know if it's a good thing (number 2) or a bad thing (number 1).

My question is - has anyone else noticed a drop in xmlwineventlog volume over the last few months?

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

Azeemering
Builder
‎08-30-2022 12:24 PM

Hi,

The reduction of this can have many different reasons, but you need to pinpoint what exactly changed.

- Are all hosts patched and are all reporting and running the UF properly?

- Can you pinpoint the reduction to System / Application or Security windows events? (source in splunk)

- Do all hosts have the same amount of reduction of event logs sent to splunk?

- Look at the windows eventcodes; Do a before and after count of the different eventcodes. Can you pinpoint a difference to a specific eventcode?

Just troubleshoot step by step. Happy to help and think with you for next steps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...