Getting Data In

Resetting Remote Windows Event collection "starting point"

Richfez
SplunkTrust
SplunkTrust

While testing some training materials, I created a temporary index and a remote windows event collection input for my own PC.

Then I deleted it and recreated it exactly as it had been. Again, testing docs for training. 😞

But my newly recreated input only grabbed events newer than the last time it indexed it and ignored the 2 or 3 weeks of previous entries. I figured this wasn't too big of a deal, I've reset file monitoring and database monitoring before, but I can't figure out how to reset the remote windows event collections.

I saw this: I tried http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-co...
But when I open the appropriate file in there with an SQLlite DB viewer I only have 8 rows for other inputs, nothing for the one I need to start over.

So, does anyone have any ideas?

1 Solution

Richfez
SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Resolved, with some help from Support getting me in the right location.

I realized that the DB mentioned in the original question was old data, so I searched my system for another copy of said DB and found one in D:\splunk. Don't remember when I moved it, but whatever. 🙂

Unfortunately, while that one had newer information in it, it still wasn't quite current. But it got me in the right spot to look around and I found in there a folder d:\splunk\persistentstorage\wmi\ with a file in it "wmi.ini". That file had rows matching the "problem" machine name along with all the other machines I had listed in that input type.

So, to confirm I ...

  1. Deleted the input.
  2. Deleted the temporary index I had been using for that input.
  3. Stopped Splunk.
  4. Edited \persistentstorage\wmi\wmi.ini and removed lines referencing my PC name and saved the file.
  5. Started splunk.
  6. Created new temporary index.
  7. Created new input just like the old one.

That worked as desired and that index now contains all the events my PC has on it instead of only the most recent ones.

NOTE: it appears that version 6.0 switched from recording this information in the SQLlite DB and instead put it in the file I mentioned above.

Richfez
SplunkTrust
SplunkTrust

Sorry, conversion must have done a number on the formatting.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...