We have Splunk running on all of our Windows Domain Controller servers (80 of them), but we seem to be missing events:
To try and find the missing events I run the below search:
host=server1* source="WinEventLog:Security" | sort 10000000 RecordNumber |delta RecordNumber as ID_diff |search ID_diff>1 |table _time RecordNumber ID_diff
While this search works, it must run per server and with 80 servers to run on, this can take a long time to do.
Is there a way to run this search on all of my servers at once and not have it interfere with other results?
We are running Splunk 6.1.4
Thanks
... View more