Solved: Starting point of index

n_greder · ‎11-05-2012

Hello,

i would like to add a monitor for EventLog:Security.
This EventLog contains many entries, and if i add it directly, i know that Splunk will index thousand of event, and my 500Mb will be consumed for.

So i see in tutorial that is was possible to choose at what time Splunk begin to index event with the following line in inputs.conf:

[WMI:WinEventLog:Security]
disabled = 0
start_from = newest
current_only = 1

I have a question:
The only means to succeed is to use only the inputs.conf file? Because if i use Splunk Web, it starting to index all events from eventlogs, so i have to prepare my inputs.conf file before, no?

Thx for your help

MHibbin · ‎11-05-2012

That's kind of correct... modifying inputs.conf is the way to go (make sure you restart Splunk to apply the changes), however your config is slightly wrong, you should try:

[WMI:WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1

This will just read from the oldest to newest (i.e. normal cronological flow), but only starting from the first event, from when the input is enabled (i.e. restart Splunk to apply config). At the moment you have it backwards, as it will read in reverse chronological order and then go back to the latest, which doesn't make sense.

HOWEVER... although you may exceed your daily limit, Splunk will not punish you for you first offence, as in a real world there are times when we find the unexpected, and perhaps your logging source goes rogue and pumps out gigs of data. You should read the following doc, as indexing some of you older/historic events may be useful in showing Splunk's potential...

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Aboutlicenseviolations

Hope this helps

View solution in original post

MHibbin · ‎11-05-2012

That's kind of correct... modifying inputs.conf is the way to go (make sure you restart Splunk to apply the changes), however your config is slightly wrong, you should try:

[WMI:WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1

This will just read from the oldest to newest (i.e. normal cronological flow), but only starting from the first event, from when the input is enabled (i.e. restart Splunk to apply config). At the moment you have it backwards, as it will read in reverse chronological order and then go back to the latest, which doesn't make sense.

HOWEVER... although you may exceed your daily limit, Splunk will not punish you for you first offence, as in a real world there are times when we find the unexpected, and perhaps your logging source goes rogue and pumps out gigs of data. You should read the following doc, as indexing some of you older/historic events may be useful in showing Splunk's potential...

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Aboutlicenseviolations

Hope this helps

n_greder · ‎11-06-2012

Hello MHibbin,

ok, about newest and oldest i had a doubt to understand clearfully the explanation in admin guide, but as my boss said that were possible to index only since a specific date...

Thx for your answer and have a nice day

bmacias84 · ‎11-05-2012

As Note: current_only = 1 will only capture events while the Splunk service is running. Alternatively you could write you own specific WMI query for the event log that pull events after a certaint date.

WMI QUERY:



Select * from Win32_NTLogEvent Where Logfile = 'System' AND TimeWritten  >= '20121101000000.000000-36'

'20121101000000.000000-36' is year=2012,month=11,day=01

Starting point of index

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life