topic Re: Can't find "local event logs" option in splunk in Getting Data In

Can't find "local event logs" option in splunk

obuobu — Mon, 22 Apr 2024 21:30:18 GMT

Hey, I installed splunk enterprise free trial on ubuntu server and this is the first time I am using splunk so I am following a video. I am having trouble locating "local event logs" option while adding data to splunk from a universal forwarder in windows server. I want to capture event logs from windows server to see in splunk. Please help me out as soon as possible.

Thank you.

Re: Can't find "local event logs" option in splunk

gcusello — Tue, 23 Apr 2024 06:14:10 GMT

Hi @obuobu ,

let me understand:

you have a Splunk Enterprise installed on Ubusntu,
then you have Splunk Universal Forwarder installed on a windows machine,
you want to see the logs from the Windows machine in Splunk,
is it correct?

At first did you configured your Splunk Enterprise Server to receive logs [Settings > Forwardering and Receiving > Receiving]?

Then, did you configured your UF (that I suppose it's installed) to send logs to the Splunk Enterprise Server?

Then did you configured the local inputs locally or using a Deployment Server?

for more infos see the ingestion process at https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents

Ciao.

Giuseppe

Re: Can't find "local event logs" option in splunk

nikunj-2386 — Tue, 11 Jun 2024 07:06:39 GMT

- I've encountered the same issue before.
- You can resolve it by following these steps:
  - Navigate to "Settings"
  - Click on "Data Inputs" Within "Data Inputs," you'll find two sections:
      - "Local inputs"
      - "Forwarded inputs"
  - Choose "Forwarded Inputs"
  - Select "Windows Event Logs"

- To add a new configuration, click on the "+ Add new" option next to "Windows Event Logs".
- If you don't see any "Available hosts" at the first "Select Forwarders" stage, try refreshing the page 5-6 times or go back and try adding new again.

Re: Can't find "local event logs" option in splunk

greengrocer92 — Thu, 19 Sep 2024 20:49:01 GMT

Just encountered the same issue. I'm following allow on a Udemy Splunk course. The instructor is using Windows and it appears that this option is for local Windows Event logs that one would view in Event Viewer (they're not flat text files). I'm guessing that the option appears only on Windows, as Ubuntu and MacOS (which I'm using) use flat files for logs rather than Windows events, which I assume are in a dB format that Event Viewer parses.

Re: Can't find "local event logs" option in splunk

kuukudjan — Thu, 31 Jul 2025 01:56:18 GMT

Kindly repeat the step again "select the forwarders" then when it comes to selecting the server class dont create a new one just select "existing" and select the previous one you created and the "local events logs" will appear.