Hi Guys,
I have installed splunk UF 6.3.3 on our Domain Controller 2k12 and following is my inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = newest
current_only = 1
evt_resolve_ad_obj = 0
checkpointInterval = 5
# exclude these event IDs from being indexed.
blacklist = 4634,4648,5156,4776,5145,4769,5158,5140,4658,4768,4661,4771,4672,5136,4770,4932,4933,4760,4625,4656,4663,4690,5154,4670,5152,5157,4724,4738,4931
index = wineventlog
renderXml=false
ISSUE is I can see in data summary count of logs increasing for this source type realtime that is events are getting indexed but when i do a search does not show any new events only when i restart the UF i began to see logs which stop again and i have to keep repeating the restart of spluknd on UF to see the new logs in search.
Any help would be appreciated
thanks in advance
↧