Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Infinite number of events from WMI event log

zumispun
New Member
‎04-14-2011 06:37 AM

Hi I'm using 4.2 on Win 2008 R2. Suplunkd is running with domain admin account. When I add my two DCs to get security event logs, it starts indexing forever until it runs out of the license. Each server has a total of about 15k events, but Splunk indexed over 2 millions (!) events from each machine. Here is my conf

[WMI:Security - Domain Controllers]
disabled = 1
event_log_file = Security
index = default
interval = 5
server = xxxdc01, xxxdc02

This was generated by the UI. Any ideas to have it work? Thanks

Tags (2)
0 Karma
Reply

hazekamp
Builder
‎04-14-2011 04:14 PM

If you are polling events from the Windows EventLog via WMI there is an important setting that will correct this behavior for you. The setting is "current_only" which defaults to 0. Setting this to 1 instead will tell Splunk to only collect events that occur while Splunk is running.

Here is an example of "current_only" in use in a wmi.conf:

[WMI:LocalSecurity]
interval = 10
event_log_file = Security
index = default
disabled = 1
current_only = 1

See also: http://www.splunk.com/base/Documentation/latest/Admin/Wmiconf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...