We have thousands of Universal Forwarders (UF) in a large virtual desktop environment where we need to minimize the footprint and particularly the I/O as much as possible.
Question is for WinEventLog configuration in Splunk 6.4.1 UF on Windows 7 x64 use a 60 second checkpointInterval.
For example:
[WinEventLog://Security]
checkpointInterval = 5
evt_resolve_ad_obj = 0
disabled = 0
We believe that for this particular input there's no need to checkpoint every 5 seconds, so hoping to modify this interval to reduce the disk writes to be like below but Splunk is not taking into account the new value ( checkpointInterval = 60 )
[WinEventLog://Security]
checkpointInterval = 60
evt_resolve_ad_obj = 0
disabled = 0
↧