https://community.splunk.com/t5/Getting-Data-In/How-to-index-evtx-files-in-Splunk/m-p/262399#M50355 <P>Hi Experts,</P> <P>We have around 100 evtx files, and we want to index these files in Splunk and do analysis.</P> <P>But when we configure it in inputs.conf both on the universal forwarder and Splunk itself, (from Splunk Web), it does not get indexed.</P> <P>Kindly help with steps.</P> Mon, 05 Dec 2016 04:58:04 GMT chanduira 2016-12-05T04:58:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-evtx-files-in-Splunk/m-p/262399#M50355 <P>Hi Experts,</P> <P>We have around 100 evtx files, and we want to index these files in Splunk and do analysis.</P> <P>But when we configure it in inputs.conf both on the universal forwarder and Splunk itself, (from Splunk Web), it does not get indexed.</P> <P>Kindly help with steps.</P> Mon, 05 Dec 2016 04:58:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-evtx-files-in-Splunk/m-p/262399#M50355 chanduira 2016-12-05T04:58:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-evtx-files-in-Splunk/m-p/262400#M50356 <P>The documentation on how to do this exists here: <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata">http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata</A></P> <P>In short, you can add these files as inputs, but be sure that these files are not being written to while splunk reads it. <BR /> <STRONG>Also, unlike other log files, using the upload function will not work with these files</STRONG>. Splunk will recognize the file by the file extension .evt or .evtx. Since Splunk utilizes native Windows APIs to extract information from these files, you need to run Splunk on windows.</P> <P>from another answer - <BR /> We've had several problems with this issue. Actually the Splunk docs is a bit misleading on this. The only guaranteed method to index Windows Event Logs events is to define a native input on a Splunk instance -could be a (light)forwarder too- on the same windows machine that generate the Events to index (add for instance a [WinEventLog:Application] stanza in inputs.conf).<BR /> As you can see from the last updated docs (<A href="http://www.splunk.com/base/Documentation/4.1.1/Admin/MonitorWindowsdata">http://www.splunk.com/base/Documentation/4.1.1/Admin/MonitorWindowsdata</A> ), indexing exported evt data has several limitations, due to the Microsoft proprietary way to generate those .evt files, which embed links to the DLLs used to generate them.</P> <P>So take care when planning a Splunk deployment were there will be several evt files (or data) to index!</P> <P>more on this - <BR /> <A href="https://answers.splunk.com/answers/141/can-splunk-index-windows-event-log-evt-evtx-files.html">https://answers.splunk.com/answers/141/can-splunk-index-windows-event-log-evt-evtx-files.html</A></P> <P><STRONG>workaround -</STRONG> <BR /> maybe, you can try to convert these files to text files or csv files and upload to splunk.<BR /> <A href="http://serverfault.com/questions/783708/convert-saved-evtx-files-to-text">http://serverfault.com/questions/783708/convert-saved-evtx-files-to-text</A></P> Mon, 05 Dec 2016 05:21:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-evtx-files-in-Splunk/m-p/262400#M50356 inventsekar 2016-12-05T05:21:39Z