1. may i know why you use the old version of free splunk [...] - you should never ask such a silly question :)). But on a serious note, i'm using it because newer versions require newer windows. Not all versions run on Win7. And because of that, i don't have anymore the option of a user, which leads me to this error: Data could not be written: /nobody/search/inputs/WinEventLog://System/start_from: oldest I think /nobody reffers to the fact that user option is taken out and that's why i can't write this: \Splunk\etc\apps\search\default\inputs.conf from Splunk Web interface. 2. i think you need to update the inputs.conf on the windows box - i am leaving inputs.conf from D:\Program Files\Splunk\etc\apps\search\default\inputs.conf clear and use this instead D:\Program Files\Splunk\etc\apps\search\local\wmi.conf as i have more control over it, and my initial question was what stanza can i use in this file so i can get older data in, as current_only = 0 is doing nothing. I get the same recent items in. Would have been nice if i had this simple solution to write a stanza in that file and get all information. In the same WMI i get my Windows Security Logs too. I like this solution beacuse i can get different Windows Logs into different indexes. And now i think i can set inputs.conf to send different logs data to diffrent indexes?!? Am i correct? - Now a bit of a backstory/history: When i tried the first time to pull this magic trick, i don't really now how or why, but i managed to double the data. That means that i managed somehow to index the same data twice. I wasn't very happy, in fact, i was very upset about the fact that i have to spelunking thru same data ... Twice. So i deleted the oricginal index and started again. The second time, wasn't that easy as the first time, as i got the above mentioned /nobody error. I don't like the workaround solution, in fact, i much dislike it because it's not an elegant solution, but what can i do ... it is what it is and is working. 3. The links you provided is no longer work correctly, the send me to homepage of documentation. Cheers 🙂
... View more