topic Re: Indexing Log files which are in zip format in Getting Data In

Indexing Log files which are in zip format

1234testtest — Fri, 13 Jul 2012 11:59:57 GMT

Hi,
I am looking at indexing log files( windows event log .evt files which are zipped). Is there a step by step procedure on how to index these files.

I have looked at some answers earlier but couldnt find a complete solution.
http://splunk-base.splunk.com/answers/42128/indexing-zip-files

Re: Indexing Log files which are in zip format

rturk — Sun, 15 Jul 2012 15:30:16 GMT

By default Splunk will unzip files in a directory that it is configured to monitor, however it may be complicated by the fact that it's a zipped binary (I'd test, but I'm on a Mac/Unix setup), but I can't think of any reason why it wouldn't work.

You might want to have a look at this:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Index_exported_event_log_.28.evt_or_.evtx.29_files

Does it index an uncompressed .evt file without a problem?

Re: Indexing Log files which are in zip format

lguinn2 — Sun, 15 Jul 2012 19:04:42 GMT

Here is a link to the docs where it discusses monitoring Windows event logs - notice that there is a paragraph about indexing exported events logs, which impies that Splunk can index .evt files.

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorwindowsdata

Re: Indexing Log files which are in zip format

1234testtest — Mon, 28 Sep 2020 12:05:32 GMT

Event.zip files are being indexed when we choose while Adding data "Or Choose a Data Source"- "From files and directories".Doesnt work when go through the route - "Choose a Data Type" and "A file or directory of files".
The challenge still remains - when I choose a single event.zip file and upload and index (taking the route mentioned in 1 above), it gets indexed.

If we choose"Continuously index data from a file or directory this Splunk instance can access" and point to the directory where there are zipped event files, they are not being indexed.
The zip file contains a path inside it - when we open the zip file- there is a folder structure - Data1\event_bkup and the .evt file resides inside the event_bkup folder.

When I use btool - I see that the directory is listed for monitoring. How do we solve this issue.

Re: Indexing Log files which are in zip format

1234testtest — Mon, 16 Jul 2012 08:00:23 GMT

Also I find that in the splunkd log files there is an error reported
ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2
Is this anyway related to indexing event.zip files which have a folder path specified inside the zip file?

Re: Indexing Log files which are in zip format

dangeloma — Tue, 08 Dec 2020 18:17:23 GMT

For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files:

https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata