Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Windows event logs – Define the start time for event collection – do not want current_only OR all history

r999
Path Finder
‎12-06-2012 05:49 AM

is there anyyway to define at what point in time windows event logs will start being collected by Splunk UF?

We have [WinEventLog:Application]
current_only = 1
index= winapp

The server had an issue and splunk UF was stopped for several hours.
How can i get collect those events that were missed when splunk is re started? 'current_only' says "index from the point splunk is started"if i remove the "current_only" splunk will start indexing the entire multi year history of the event log. It has only been enabled for a few months and we do not want the old data. any ideas?

If i export a .evt file containing only these events and index that, will the splunk see the data in the same format? will all my field extractions etc work? or will it be completely different format? i will still have to modify all saves searches and dashboards to ensure it will include the data which is a pain

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2012 06:51 AM

No, I don't believe there is such an option. But I don't think that is what you need. Splunk is designed to handle these kinds of interrupts gracefully. According to the docs, current_only=1 will only play a part the first time Splunk sees the eventlog.

One would like to think that Splunk will keep track of which events has been read (based on RecordNumber) and not skip those that were created during an outage, unfortunately this does not seem to be the case. When I tested this, there was a gap (i.e. stopping splunkd, generating some events, changing current_only to 1, and restarting). Those newly created events were not indexed, so it seems that current_only=1 affects all restarts of splunkd.

However, if you set current_only=0 before you restart, Splunk should pick up the events that were created during the outage, but not more than that. When testing, (stopping splunkd, generating events, changing current_only to 0, starting splunkd) Splunk only indexed the events generated during the outage, but it didn't go further back to re-index the whole log, so I still have a gap from the previous test mentioned above.

These are just my empirical observations, and your mileage may vary (other versions etc) but to me it seems like setting current_only=0 before you restart will do what you want.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2012 06:51 AM

No, I don't believe there is such an option. But I don't think that is what you need. Splunk is designed to handle these kinds of interrupts gracefully. According to the docs, current_only=1 will only play a part the first time Splunk sees the eventlog.

One would like to think that Splunk will keep track of which events has been read (based on RecordNumber) and not skip those that were created during an outage, unfortunately this does not seem to be the case. When I tested this, there was a gap (i.e. stopping splunkd, generating some events, changing current_only to 1, and restarting). Those newly created events were not indexed, so it seems that current_only=1 affects all restarts of splunkd.

However, if you set current_only=0 before you restart, Splunk should pick up the events that were created during the outage, but not more than that. When testing, (stopping splunkd, generating events, changing current_only to 0, starting splunkd) Splunk only indexed the events generated during the outage, but it didn't go further back to re-index the whole log, so I still have a gap from the previous test mentioned above.

These are just my empirical observations, and your mileage may vary (other versions etc) but to me it seems like setting current_only=0 before you restart will do what you want.

Hope this helps,

Kristian

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...