https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73280#M15020 <P>I am using the "Upload a File" option to input OLD event logs.... VERY SLOW TASK !!!! According to the doco, </P> <P>"<STRONG>__Use the batch input type in inputs.conf to load files once and destructively. By default, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. If you move a file into this directory, Splunk indexes it and then deletes it._</STRONG>"</P> <P>I tried copying a .evt file here but it's not working ????</P> <P>Is there something else that needs to be done ????</P> <P>Thanks</P> Wed, 20 Oct 2010 06:32:05 GMT berniefieldhous 2010-10-20T06:32:05Z https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73280#M15020 <P>I am using the "Upload a File" option to input OLD event logs.... VERY SLOW TASK !!!! According to the doco, </P> <P>"<STRONG>__Use the batch input type in inputs.conf to load files once and destructively. By default, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. If you move a file into this directory, Splunk indexes it and then deletes it._</STRONG>"</P> <P>I tried copying a .evt file here but it's not working ????</P> <P>Is there something else that needs to be done ????</P> <P>Thanks</P> Wed, 20 Oct 2010 06:32:05 GMT https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73280#M15020 berniefieldhous 2010-10-20T06:32:05Z https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73281#M15021 <P>I don't believe Splunk can read .evt files because they are in a non-textual format. Splunk will not perform any processing of binary type files. So in your case, I suspect we will not index that data as expected. </P> Wed, 20 Oct 2010 07:29:02 GMT https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73281#M15021 Simeon 2010-10-20T07:29:02Z https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73282#M15022 <P>A good answer is <A href="http://answers.splunk.com/questions/141/can-splunk-index-windows-event-logevt-evtx-files" rel="nofollow">here</A>. In short, you have to be running Splunk on Windows to index .evt/.evtx files. However, there are a few <A href="http://www.splunk.com/base/Documentation/latest/Admin/MonitorWindowsdata#Index_exported_event_log_.28.evt_or_.evtx.29_files" rel="nofollow">constraints</A>. Copying .evt files to $SPLUNK_HOME/var/spool/splunk should work as described in docs. </P> <P>If it still doesn't, could you tell which version of Splunk you're using, on which Windows version and from which Windows version are the evt files?</P> Wed, 20 Oct 2010 12:02:30 GMT https://community.splunk.com/t5/Getting-Data-In/batching-EVT-Files/m-p/73282#M15022 Leo 2010-10-20T12:02:30Z