Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

WinEventLog - Appliction and Services Logs- Does anyone have a doc or suggestion?

ttiller
Engager
‎08-14-2020 08:01 AM

Trying to collect information from a sub folder in a Windows server event log. Specifically in the Applications and Services Logs/DFS Replication folder. So far it looks like I need to add some info to my local conf file, but unsure of the proper syntax. I believe it would be along these lines:

[WinEventLog:"Application and Services Logs/DFSReplication"]
disabled=0
start from=oldest
currentonly=0

Can anyone point me to the proper doc to figure this out or offer a suggestion. Thanks in advance.

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎05-26-2022 01:35 PM

The syntax for Windows event log stanza is:

[WinEventLog://<channel-name>]

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2020 08:11 AM
Have you tried removing the quotation marks from the stanza name?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ttiller
Engager
‎08-31-2020 11:45 AM

The adjustment was  made on the backend so now my search should be successful. Thank you for your suggestion.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2020 01:58 PM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply

ttiller
Engager
‎08-14-2020 08:17 AM

I have not. I was unsure if I was even on the right track and did not want to jump off the cliff without some assurances that I'm not going to screw something up. "Nothing ventured nothing gained" as they say. Will give it a go and let you know. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...