Getting Data In

Splunk forwarders failing to send some of the Windows application Event logs for some devices

Gayathirikuppus
New Member

Why are Splunk forwarders failing to send some of the Windows application Event logs for some devices? We are using Splunk_TA_windows add on for ingesting the window event viewer logs into splunk. We do not observer any Error in the internal log but found some Warning Message as mentioned below:

3/19/18
11:33:47.270 PM
03-19-2018 23:33:47.270 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 23:33:47 2018). Context: source::WMI:Services|host::XXXXXX|WMI:Services|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:50:29.897 PM
03-19-2018 22:50:29.897 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:50:29 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:48:36.030 PM
03-19-2018 22:48:36.030 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:48:35 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
3/19/18
10:45:09.527 PM
03-19-2018 22:45:09.527 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Mar 19 22:45:09 2018). Context: source::WMI:SessionProcess|host::XXXXXX|WMI:SessionProcess|1
host = XXXXXX source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd

Please find the inputs.conf:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
_meta=fromserver::Y

Is there any other configuration that i needed to check? What am i missing here to check?

Tags (1)
0 Karma

Gayathirikuppus
New Member

We have some many eventcode but only few of them are getting ingested into splunk

0 Karma

adonio
Ultra Champion

on one hand, your inputs refer to the forwarder monitor, on the other hand, your error suggests WMI inputs.
might have some conflict there, can you verify the entire inputs.conf? do you have inputs.conf in /etc/system/local as well?

0 Karma

Gayathirikuppus
New Member

Yeah the inputs.conf that I have shared is from local folder. Where do I need to check for WMI inputs for the discrepancy.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...