Getting Data In

Windows 2008 Server Event Viewer Logs

kbecker
Communicator

In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Services Logs" section. What should the Splunk inputs.conf look like for the event logs under the "Microsoft" --> "Windows" folder. Specifically I am looking for the "PrintService --> Operational", but if anybody has any of these other logs being indexed the base input should be the same

**%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-**PrintService%4Operational.evtx

I tried the following with no success...

[WinEventLog:Microsoft:Windows:PrintService Operational]
[WinEventLog:PrintService Operational]

Thanks in advance...

1 Solution

kbecker
Communicator

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

View solution in original post

patelpin
New Member

Are you using "Splunk Forwarder" on the target Machine????

0 Karma

cervelli
Splunk Employee
Splunk Employee

The add data interface will list these out as well. Even if you intended to deploy to a forwarder, you can still create the stanza as a sample on one Splunk to make sure the syntax is correct.

0 Karma

kbecker
Communicator

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

AaronMoorcroft
Communicator

dont worry managed to get it working with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

after some restarting if the forwarders 🙂

0 Karma

AaronMoorcroft
Communicator

So is that all you need to have in your input.conf file ? or do you need somthing somewhere else ? I need to monitor that particular event log however im getting nothing currently, I did merge that event log with the system event log which did sort or work but not as I need it to.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...