So, the result of our troubleshoot, was that all of the hundreds of crash events we were seeing related to winevtlog or perfmon, were not crashes happening but re-attempts of sending past crashes to Microsoft, and failing, because these were on an air-gaped subset of the estate. The clue was, apart from ceasing the activity by clearing all the WER folder, that Report_Id just kept repeating ... sourcetype="WinEventLog:Application" AppCrash | regex Message=".*(?<splunk>splunk[-\w]+)" | timechart span=30m dc(Report_Id) This search showed a constant value of 12 across several days Then we found there is a GPO that tells servers to log AppCrash events, but not send them to Microsoft
... View more