Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Windows Event Logs sent and indexed every half hour?

mmccul
SplunkTrust
SplunkTrust
‎04-12-2017 12:50 PM

Our domain controllers were resending the entire Windows EventLog every 30 minutes. No duplicate inputs entries. No duplicate outputs entries. Using a search like

host=foohost index=bar_index earliest=-1h | 
convert ctime(_indextime) | 
convert ctime(_time) | 
stats count list(host) list(splunk_server) list(_time) list(_indextime) by _raw

would display multiple indexings of the exact same _raw message, even the timestamp. Adjusting the earliest parameter showed that it happened every 30 minutes.

We encountered this on Splunk 6.5.1

We tried a fresh re-install of the forwarder, no change.

We tried inspecting the checkpoint file, but it wasn't corrupt or anything.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mmccul
SplunkTrust
SplunkTrust
‎04-13-2017 09:44 AM

After much debugging with Splunk support, we determined that having

start_from=newest

in our configs was a primary cause of the behavior. Disabling that directive on the inputs, going back to the default

start_from = oldest

eliminated the issue immediately. Hopefully this helps others.

View solution in original post

Reply
Solved! Jump to solution
Solution

mmccul
SplunkTrust
SplunkTrust
‎04-13-2017 09:44 AM

After much debugging with Splunk support, we determined that having

start_from=newest

in our configs was a primary cause of the behavior. Disabling that directive on the inputs, going back to the default

start_from = oldest

eliminated the issue immediately. Hopefully this helps others.

Reply
Solved! Jump to solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎04-12-2017 01:38 PM

Hi,
- Is the sourcetype the same? WMI enabled? Possible some other host is doing WMI collection? sourcetype would tell you that.
- If you disable inputs.conf will you still get logs?
- Check metrics.logs
- How was the UF installed? CLI installation with WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 ?

I hope this help you debugging the issue!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...