Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to stop Splunk UF from sending old Windows logs when installing on GUI

salohiddin
Engager
a month ago

Hi everyone, I installed a Splunk Universal Forwarder on a Windows server and by default it immediately started sending a huge amount of old Security/System logs. This quickly caused a license violation. Later I saw that in inputs.conf there is a parameter start_from = oldest. But during the UF installation (using the GUI) I didn’t see any option to control this. After installation it just started forwarding everything. So my question is when is the right time to configure start_from?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Champion
a month ago

@salohiddin 

With the GUI installer, there’s no option to change this, you have to edit inputs.conf manually before the forwarder starts collecting. Install the UF without selecting Windows Event Logs and make the changes in the inputs.conf. 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
a month ago

Hi @salohiddin 

Its not possible to set this in the GUI, instead, after you run the installer don’t let the UF start immediately.
Instead, edit (or create) the Windows‑event‑log stanza in

$SPLUNK_HOME\etc\system\local\inputs.conf

(or withing a custom app) before the forwarder first reads any logs. Add the following to the inputs.conf file

[WinEventLog]
current_only = 1

See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-wi... for more info on this setting.

Once you have saved the file:

  1. Start the forwarder (splunk.exe start or the Windows service).
  2. The UF will read only new events and no longer send the historic logs.

If you've already started the UF then stop the service, edit inputs.conf, and restart the service.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

kiran_panchavat
Champion
a month ago

@salohiddin 

Refer this https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf 

start_from = <string>
* How the Event Log input is to chronologically read the Event Log channels.
* A value of "oldest" means that the input reads Windows event logs
  from the oldest to the most recent.
* A value of "newest" means that the input reads Windows event logs
  in reverse, from the most recent to the oldest. After the input consumes
  the backlog of events, it stops.
* If you set this setting to "newest", and at the same time give the
  'current_only' setting a value of "false", the combination can result in the
  input indexing duplicate events.
* Do not set this setting to "newest" and at the same time give the
  'current_only' setting a value of "true". This results in the input not 
  collecting any events because you told it to read existing events
  from newest to oldest and read only incoming events concurrently, which
  is a logically impossible combination.
* Default: oldest

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
Champion
a month ago

@salohiddin 

With the GUI installer, there’s no option to change this, you have to edit inputs.conf manually before the forwarder starts collecting. Install the UF without selecting Windows Event Logs and make the changes in the inputs.conf. 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...