Infinite number of events from WMI event log

New Member

Hi I'm using 4.2 on Win 2008 R2. Suplunkd is running with domain admin account. When I add my two DCs to get security event logs, it starts indexing forever until it runs out of the license. Each server has a total of about 15k events, but Splunk indexed over 2 millions (!) events from each machine. Here is my conf

[WMI:Security - Domain Controllers]
disabled = 1
event_log_file = Security
index = default
interval = 5
server = xxxdc01, xxxdc02

This was generated by the UI. Any ideas to have it work? Thanks

Tags (2)
0 Karma


If you are polling events from the Windows EventLog via WMI there is an important setting that will correct this behavior for you. The setting is "current_only" which defaults to 0. Setting this to 1 instead will tell Splunk to only collect events that occur while Splunk is running.

Here is an example of "current_only" in use in a wmi.conf:

interval = 10
event_log_file = Security
index = default
disabled = 1
current_only = 1

See also:

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...