This article contains common issues and troubleshooting steps for collecting Windows events using Cribl Edge.
Issue: Need to clear Edge state for Windows events
Possible Causes:
- You want to switch from collecting the "Entire Log" to "From last entry" to only collect new events.
- You have upgraded a Windows Server in place which has reset the event count.
Potential Resolutions:
- Remove or rename the state file called
state.ndjsonlocated at C:\ProgramData\Cribl\state\kvstore\default\win_event_logs_in_win_event_logs\ and then restart the Cribl service.