https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294749#M19292 <P>Hi arechenberg,</P> <P>I've resolved this kind of problem by just converting <CODE>.evtx</CODE> file to <CODE>.txt</CODE> file, you can do it by opening the <CODE>.evtx</CODE> file on the Windows Event Viewer on your local machine and save it as Text file or CSV, after converting <CODE>.evtx</CODE> file to text file or csv you may now ingest in to your splunk. I've provided link on how to save windows event as text file or csv below.</P> <P><A href="https://technet.microsoft.com/en-us/library/cc749339(v=ws.11).aspx">https://technet.microsoft.com/en-us/library/cc749339(v=ws.11).aspx</A></P> Wed, 23 Aug 2017 06:39:49 GMT dantimola 2017-08-23T06:39:49Z https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294745#M19288 <P>I tried the following:</P> <P>settings -&gt; Add Data -&gt; Upload Data -&gt; choose xxx.evt as my source and I'm lost at "Set Source Type". My default source-type shows "preprocess-winevt". I found another source type call Event Log, but when I chose it, the preview is still displayed as hex values. </P> <P>I have been directed to <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorwindowsdata">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorwindowsdata</A> many times and I don't understand what it is trying to say in the document....how do I index all my exported evt and evtx files?</P> <P>I'm on trial version.</P> Tue, 16 May 2017 05:48:43 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294745#M19288 wuming79 2017-05-16T05:48:43Z https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294746#M19289 <P>settings -&gt; data inputs (top right corner) -&gt; local event log collection -&gt; pick the windows logs you want<BR /> read here more: <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/HowtogetWindowsdataintoSplunk">http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/HowtogetWindowsdataintoSplunk</A></P> Tue, 16 May 2017 18:03:47 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294746#M19289 adonio 2017-05-16T18:03:47Z https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294747#M19290 <P>What if i exported .evtx file from other machine and i want to ingest it to our splunk?</P> Wed, 16 Aug 2017 08:09:09 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294747#M19290 dantimola 2017-08-16T08:09:09Z https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294748#M19291 <P>This answer assumes that Splunk is running on the same machine as the Windows log files. I believe the intent of the question was how to index *.evtx files that have been exported from a machine as files and then import them into a different machine running Splunk.</P> <P>I would like to know an answer to this question as well. Having a similar problem - I upload the evtx file, file recognized by Splunk as <CODE>preprocess-winevt</CODE>, complete the import but no data is indexed by Splunk, or very old events (e.g. events from November 2016) are indexed.</P> <P>Any help is much appreciated, Andy</P> Mon, 21 Aug 2017 22:09:19 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294748#M19291 arechenberg 2017-08-21T22:09:19Z https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294749#M19292 <P>Hi arechenberg,</P> <P>I've resolved this kind of problem by just converting <CODE>.evtx</CODE> file to <CODE>.txt</CODE> file, you can do it by opening the <CODE>.evtx</CODE> file on the Windows Event Viewer on your local machine and save it as Text file or CSV, after converting <CODE>.evtx</CODE> file to text file or csv you may now ingest in to your splunk. I've provided link on how to save windows event as text file or csv below.</P> <P><A href="https://technet.microsoft.com/en-us/library/cc749339(v=ws.11).aspx">https://technet.microsoft.com/en-us/library/cc749339(v=ws.11).aspx</A></P> Wed, 23 Aug 2017 06:39:49 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-index-exported-evt-and-evtx-files/m-p/294749#M19292 dantimola 2017-08-23T06:39:49Z