How can I configure Splunk Forwarder to NOT index historical WinEvents?

I intend to install Splunk as a forwarder on my Windows boxes, but I only want Splunk to monitor for the very latest, most recent Windows events being logged now in real-time and I DO NOT want it to also index all of the historical events that may be logged in the Event Viewer previously.

The reason is, when it starts indexing the historical Win Events, it causes the CPU to spike up initially, and I cannot allow that to happen when I deploy it on a new Windows server.

Can I configure Splunk on Windows to only index real-time data coming in now and avoid causing the CPU to spike upon initial deployment of Splunk?

asked 28 Apr '10, 17:08

maverick ♦
2.6k●6●5●73
accept rate: 14%

2 Answers:

oldest newest most voted

current_only: http://www.splunk.com/base/Documentation/latest/Admin/MonitorWindowsdata#Configure_event_log_monitoring_using_configuration_files

Specify whether to index starting at earliest or most recent event

Use these settings to specify which in chronological order you want to index the events, from oldest->newest or newest->oldest, and whether you want to index all pre-existing events, or just new events.

start_from = oldest current_only = 1 start_from: By default, Splunk starts with the oldest data and indexes forward. We don't recommend changing this setting, as it results in a highly inefficient indexing process. current_only: This option allows you to only index new events, from the moment Splunk was started. It acts like a tail to a file.

link

answered 28 Apr '10, 17:25

gkanapathy ♦
26.2k●1●6●22
accept rate: 42%

edited 28 Apr '10, 17:32

Simeon ♦
3.7k●5●6●27

0	What happens if you stop splunk for say one hour and start it again. Will it then continue from where it left off or start from the most current once more, missing one hour of event logs? link answered 20 Jul '10, 14:59 Joffer 148●9 accept rate: 25%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

configuration ×309
windows ×302
performance ×147
deployment ×120
windows-event-logs ×108

Asked: 28 Apr '10, 17:08

Seen: 1,682 times

Last updated: 20 Jul '10, 14:59

How can I configure Splunk Forwarder to NOT index historical WinEvents?

Follow this question

Splunk Resources

Related questions