Wanted to share some good news regarding this issue with the broader community - over the past year we worked with Splunk and Microsoft support and development teams to sort this out. In our organization, 99% of the corrupt events were when Windows was rebooting - a fix for this was identified and successfully tested in our environment. Remaining issue was related to an api error response from EventLog api and a fix for that is in the works per Splunk Dev and support. Both fixes are expected to make it into 9.1 (hopefully around .CONF23). And here's some recommendations that came from the collaborative work with Microsoft. Use 'Delayed Start' for the Splunk Forwarder service. Setup following service dependencies to reduce errors sc config EventLog depend=RpcSs sc config SplunkForwarder depend=EventLog
... View more