Hi Team,
We are working on a solution to monitor the utilization time of resources on their machines. We have about 1000 machines where Splunk forwarders are installed. These forwarders are pushing data to a central splunk instance.
The issue that now we are facing is that the event codes are getting missed sometimes. For eg after an unlock(4801) there should be a lock(4800). But we are getting two simultaneous unlock event code(4801) without lock. This is sending our calculation of utilization time for a toss.
Below is the input stanza in the splunk forwarders.
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = test_events
start_from = oldest
whitelist = 4624,4634,4800,4801
We are unable to figure out this issue for the past week. can someone pls help us out on this.
Many Thanks,
Naagaraj SV