I have a server that had a corrupted Security Log.
In order to resolve that problem I backed up the security log and cleared it.
Now new events are not showing up from that server's security log in splunk.
I did some checking of the _internal index and saw that the wmi query that is being used is checking for items where RecordNumber > 6918747. When I cleared the event log, it reset the RecordNumber to 1 on the server, and since 6 million+ security items have not yet happened, the wmi query is gathering no information from that server.
Is there a command I can run to reset this remembered checkpoint value?
Thanks
... View more