hi question regarding the wineventlog system collection.
for some reason splunk is only displaying event code 7036. i have a 2004 code that i am trying to log and set an alert but it is not picking it up for some reason. i see that 7036 is an information type and 2004 is a warning. what can i do to get 2004 to log?
figured it out,
changed start_from from oldest to newest
and current_only from 0 to 1
figured it out,
changed start_from from oldest to newest
and current_only from 0 to 1
update: im searching Last 30 days and its only logging today if that helps. 2004 event happened 10 days ago so i am not sure if the problem is that splunk is only logging todays events or if it can see any other events
please share your inputs stanza for winevenlog system
supposed to be something like that:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
i only had disabled = 0 and my index, updated to what you mentioned and still no luck, only showing todays logs.
[WinEventLog://System]
disabled = 0
index=main
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false