Solved: Windows event logs – Define the start time for eve...

r999 · ‎12-06-2012

is there anyyway to define at what point in time windows event logs will start being collected by Splunk UF?

We have [WinEventLog:Application]
current_only = 1
index= winapp

The server had an issue and splunk UF was stopped for several hours.
How can i get collect those events that were missed when splunk is re started? 'current_only' says "index from the point splunk is started"if i remove the "current_only" splunk will start indexing the entire multi year history of the event log. It has only been enabled for a few months and we do not want the old data. any ideas?

If i export a .evt file containing only these events and index that, will the splunk see the data in the same format? will all my field extractions etc work? or will it be completely different format? i will still have to modify all saves searches and dashboards to ensure it will include the data which is a pain

kristian_kolb · ‎12-07-2012

No, I don't believe there is such an option. But I don't think that is what you need. Splunk is designed to handle these kinds of interrupts gracefully. According to the docs, current_only=1 will only play a part the first time Splunk sees the eventlog.

One would like to think that Splunk will keep track of which events has been read (based on RecordNumber) and not skip those that were created during an outage, unfortunately this does not seem to be the case. When I tested this, there was a gap (i.e. stopping splunkd, generating some events, changing current_only to 1, and restarting). Those newly created events were not indexed, so it seems that current_only=1 affects all restarts of splunkd.

However, if you set current_only=0 before you restart, Splunk should pick up the events that were created during the outage, but not more than that. When testing, (stopping splunkd, generating events, changing current_only to 0, starting splunkd) Splunk only indexed the events generated during the outage, but it didn't go further back to re-index the whole log, so I still have a gap from the previous test mentioned above.

These are just my empirical observations, and your mileage may vary (other versions etc) but to me it seems like setting current_only=0 before you restart will do what you want.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎12-07-2012

No, I don't believe there is such an option. But I don't think that is what you need. Splunk is designed to handle these kinds of interrupts gracefully. According to the docs, current_only=1 will only play a part the first time Splunk sees the eventlog.

One would like to think that Splunk will keep track of which events has been read (based on RecordNumber) and not skip those that were created during an outage, unfortunately this does not seem to be the case. When I tested this, there was a gap (i.e. stopping splunkd, generating some events, changing current_only to 1, and restarting). Those newly created events were not indexed, so it seems that current_only=1 affects all restarts of splunkd.

However, if you set current_only=0 before you restart, Splunk should pick up the events that were created during the outage, but not more than that. When testing, (stopping splunkd, generating events, changing current_only to 0, starting splunkd) Splunk only indexed the events generated during the outage, but it didn't go further back to re-index the whole log, so I still have a gap from the previous test mentioned above.

These are just my empirical observations, and your mileage may vary (other versions etc) but to me it seems like setting current_only=0 before you restart will do what you want.

Hope this helps,

Kristian

Windows event logs – Define the start time for event collection – do not want current_only OR all history

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...