Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog

Jeronimo317
Explorer
‎07-21-2020 02:04 PM

Hi team, the issue that I am currently experiencing is that WinEventLog not sending data to the main index . I am new to Splunk and so far have not been able to figure out the reason. Thoughts?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-27-2020 05:33 AM

Good!

If your isse was solved, please accept the answer for the other people of the Community.

Ciao and Next Time!

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

Reply
Solved! Jump to solution

anilchaithu
Builder
‎07-21-2020 02:28 PM

@Jeronimo317 

what is your setup? Are you trying to forward wineventlog from remote server to splunk using universal forwarder?

Please make sure you have the following configurations in place

  • open port 9997 on receiving instance
  • configure outputs.conf on UF to send data to splunk indexer
  • open network connection (for port 9997) between remote server & splunk instance

Please refer below page for more details

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise 

Hope this helps

0 Karma
Reply
Solved! Jump to solution

Jeronimo317
Explorer
‎07-27-2020 05:20 AM

Hi @gcusello and @anilchaithu , thank you for your help I figured out the issue. Turned out that the index was not specifically set in the input.conf and by default the ingest was going to main as oppose to wineventlog. Seems to be OK now. Thanks again 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-27-2020 05:33 AM

Good!

If your isse was solved, please accept the answer for the other people of the Community.

Ciao and Next Time!

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

Jeronimo317
Explorer
‎07-22-2020 05:25 AM

Are you trying to forward wineventlog from remote server to splunk using universal forwarder? - Yes, and it has been working fine. Suddenly I stopped seeing WinEventLog sending data to the main index. What could be a reason and how can I troubleshoot? Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2020 05:41 AM

Hi @Jeronimo317,

which Technical Add-On are you using?

See in the inputs.conf if there's an index (usually wineventlog).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Jeronimo317
Explorer
‎07-22-2020 06:27 AM

Hi gcusello, I am not sure what do you mean by which Technical Add-on?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2020 06:38 AM

Hi @Jeronimo317,

did you created your own inputs.conf or did you take the Splunk_TA_Windows to take the logs from wineventlog?

Index is usually assigned in inputs.conf, so you should see in the active inputs.conf what's the index assignment.

From your answer I suppose that you didn't used the TA but the web gui inputs configuration; if this is your situation, see in the inputs configuration [Settings -- Inputs] what's the index assignment. 

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...