Hello Team, I got a weird issue, that I struggle to troubleshoot. A month ago, I realized that my WinEventLog logs were consuming too much of my licenses, so I decided to index them in the XmlWinEventLog format. To do this, I simply modified the inputs.conf file of my Universal Forwarder. I changed from this configuration : [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)" renderXml = false sourcetype = WinEventLog index = wineventlog To this configuration: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)" renderXml = true sourcetype = XmlWinEventLog index = wineventlog Then I started receiving events and my license usage reduced, which made me happy. However, upon closer observation, I realized that I wasn't receiving all the events as before. Indeed, I now observe that the event frequency of the XmlWinEventLog logs is random. You can observe this on these timelines : And in the metrics : On the other hand, with the WinEventLog format, I have no issues: I tried reinstalling the UF, there are no interesting errors in the splunkd.log, and I am out of ideas for troubleshooting. Thank you for your help.
... View more