Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set timing/interval when pulling event in WinEventLog using universal forwarder?

vin_ven27
Explorer
‎08-02-2022 11:48 PM

We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event.
Currently per check we are getting data real time from WinEventLog. Is there a way that we can change the timing/interval in every 10mins? We already tried:

interval = 600, interval = <cron> , schedule = 600 and schedule = <cron> but doesn't work. 

May we know if you have any solution for this?

Please...

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 12:13 AM

Hi @vin_ven27,

You can find the options for a wineventlog input at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf

Anyway, Splunk UF continously takes wineventlogs and send them (by default) every  30 seconds.

If you want, you can change the sending frequency on the outputs.conf.

It's not possible to set a frequency for wineventlog frequency.

Ciao.

Giuseppe

0 Karma
Reply

hazem
Path Finder
‎10-14-2024 01:24 AM

Hi @gcusello 

what about reading log from application log files? is it continuously monitoring or can we make it interval?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 01:38 AM

Hi @hazem ,

it's usually continouslòy monitored every 30 seconds, but you can cheange this frequency, even fi I'didn't do it.

Ciao.

Giuseppe

0 Karma
Reply

hazem
Path Finder
‎10-14-2024 01:50 AM

Hi @gcusello 

could you please provide me with the stanza to change the interval required to read logs from the log file?

 

,EX MSSQL-  ERROR.log file 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 02:01 AM

Hi @hazem ,

now I don't find the parameter, also because I try to avoid to change it, the default value usually is the best solution.

Ciao.

giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 12:53 AM

Hi giuseppe,

May I know what parameters I can use in outputs.conf for the frequency setup?

I saw autoLBfrequency and polling_interval but I am not sure if I these is the parameter you are referring to. Please advise... tia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 01:26 AM

Hi @vin_ven27.,

at https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Routeandfilterdatad#Filter_event_data_... you can find all the outputs.conf parameterts.

Between them see batchTimeout:

batchTimeout = <integer>
* How often, in seconds, to send out pipeline data.
* HTTP OUT batch pipeline data before sending out.
* If the wait time is greater than 'batchTimeout', HEC sends the data 
  out immediately.
* Default: 30

But, why do you want to have data at fixed intervals instead continously?

Ciao.

Giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 02:49 AM

Hi Giuseppe,

Thank you for asking. Actually the client had CPU problem in windows server end and they seeing that this is the cause of Universal Forwarder as per they initial checks. So this is our work around just to refrain of getting the data real time. 

We believe (somehow) that it will resolve the problem by changing interval in every 30mins. However, we have also another approach which are the whitelist/blacklist but it seems like it is not working for us. We think that it is because the task name event is not a part  of the filtering suggestion for whitelist/blacklist. The suggested events are EventID, Category, message,  Opcode etc which are not available in the _raw events. This is related to this link: https://community.splunk.com/t5/Getting-Data-In/How-to-setup-to-whitelist-and-blacklist-in-inputs-co...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 02:55 AM

Hi @vin_ven27,

I encountered this kind of problem and I solved with Splunk Support, so I hint to open a ticket.

usually the problem is related to the connection with the DNS for url resolution not to the frequency of data send.

Ciao.

Giuseppe

0 Karma
Reply

vin_ven27
Explorer
‎08-03-2022 03:02 AM

Will do. thanks buddy. Appreciated your help.

 

Ciao.

Alvin

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 08:49 AM

Hi @vin_ven27,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...