Splunk Enterprise

Eventlog issue with forwarder


I am troubleshooting an issue where eventlogs from one of the remote server shows only partial data in Splunk. We are collecting the logs using a forwarder. The description of the eventlos are not getting collected. I have tried out various troubleshooting steps and one thing i was wondering is, is there a way we can run the same command which forwarder executes for collecting the logs, that way i will be able to understand if there is any windows issue which is causing partial collection of data.

Just to be clear, i am looking for something similar to this "splunk cmd splunk-wmi.exe -wql"(this one is for WMI)

Tags (1)
0 Karma

Ultra Champion

There are ways to add single files but not a way to send to systemout what the input sends to the indexer.

Would you provide more information on the problem? Right now its hard to help without more details.

What do you mean by "partial data"? What do you mean that the "description of the eventlos are not getting collected"? "Description" could mean many things there.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!