Hi Splunkers,
for our customer we collect log from Windows systems. The main configuration details are:
Yesterday we completed this configuration and started to collect logs. The issue we are facing is that logs arrive with a delay, which is always around 30-60 minutes. So, we have to understand why.
Our suspect is that we have not a single root cause, but a set and it is:
Based on this, if all our assumptions are correct, considering that customer for sure will not enable UF installation, we thougth to:
Do you think guys this is fine? Our main doubt currently is: have we detected all issue causes? Are our fixes the right ones?
Hi
what I have learn/heard is that use WMI only if you haven't any other options and you must collect those logs! It's much better to use UF on those nodes!
As you have 12 DC nodes you probably have quite high event count (1-X kilo events/s)? Definitely you should try to filter and collect only needed event not all from those logs.
r. Ismo
30-60 minutes ,...is a too much delay. It should not take so long. even 3mins delay itself is unacceptable.
on the Splunk Cloud side, there should not be much of a delay. The delay is only should be on your systems/network side.
pls troubleshoot the networks/connections, etc and update us how it goes..
Hi
what I have learn/heard is that use WMI only if you haven't any other options and you must collect those logs! It's much better to use UF on those nodes!
As you have 12 DC nodes you probably have quite high event count (1-X kilo events/s)? Definitely you should try to filter and collect only needed event not all from those logs.
r. Ismo