topic Re: Importing Event Logs in Splunk Search

How to import event logs from another system to scan on my local instance of Splunk?

BabySplunk — Thu, 01 Dec 2022 16:26:19 GMT

Hello all! I am brand new to Splunk and have learned quite a bit so far from this forum, so thank you! With that being said, I am currently trying to import event logs from another system to scan on my local instance of Splunk. I've tried moving the EVTX files into my winevt directory, but that didn't work. I'm getting very frustrated and any help would be appreciated.

-BabySplunk

Re: Importing Event Logs

gcusello — Wed, 30 Nov 2022 13:14:59 GMT

Hi @BabySplunk,

EVTX are encrypted, you need to use the connector that Splunk developed and it's in the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742).

For more infos you can see at https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Usingforwardingagents and https://www.splunk.com/en_us/resources/videos/getting-data-into-windows.html

You can also find many interesting videos in the Splunk YouTube Channel.

Ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Wed, 30 Nov 2022 14:42:11 GMT

I decided to convert them to CSV to make it a bit easier. I followed the video you linked, but now I'm getting no results returned via search.

Here's my search string:

source="filename.csv" sourcetype="csv" | search EventCode=4624 | table _time, Account_Name, Message

Re: Importing Event Logs

gcusello — Wed, 30 Nov 2022 14:55:10 GMT

Hi @BabySplunk,

at first use always the index value in searches because you index could not be in the default path and probably this is your issue.

then check the EventCode field: field names in Splunk are Case sensitive.

Then you don't need to use the search command, put the search conditons as left as possible:

index=your_index source="filename.csv" sourcetype="csv" EventCode=4624 | table _time Account_Name Message

Ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Wed, 30 Nov 2022 15:02:32 GMT

Thanks for your help, but I'm still returning no results.

Re: Importing Event Logs

gcusello — Wed, 30 Nov 2022 15:12:39 GMT

Hi @BabySplunk,

how do you indexed these csv files?

in which index did you stored them?

Ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Wed, 30 Nov 2022 15:37:54 GMT

The index is titled "main"

Re: Importing Event Logs

gcusello — Wed, 30 Nov 2022 15:42:15 GMT

Hi @BabySplunk,

it isn't a best prectice to use the default index "main"!

Anyway, how did you ingested these files?

Ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Wed, 30 Nov 2022 15:43:56 GMT

I did a one-time upload via the SplunkEnterprise webpage and followed the wizard.

Re: Importing Event Logs

gcusello — Wed, 30 Nov 2022 15:45:33 GMT

Hi @BabySplunk,

at the end of the guided procedure, you can search Data, have you results?

ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Wed, 30 Nov 2022 15:53:06 GMT

No results.

Re: Importing Event Logs

gcusello — Thu, 01 Dec 2022 07:32:05 GMT

Hi @BabySplunk,

this means that the ingestion procedure failed and you didn't uploaded your data.

During the guided procedure, you can check the timestamp recognition and the fields recognition, do you correctly see them?

Ciao.

Giuseppe.

Re: Importing Event Logs

BabySplunk — Thu, 01 Dec 2022 19:47:20 GMT

Yes, I see them and my data is now populating but when I complete the upload and attempt a search, I'm still getting "no results found".

Re: Importing Event Logs

PickleRick — Thu, 01 Dec 2022 20:03:53 GMT

Check the time range of your search. If you import data from the past you might be simply searching over wrong time range which by default is some time "backwards" from now (like last 24h).

Re: Importing Event Logs

gcusello — Fri, 02 Dec 2022 06:56:02 GMT

Hi @BabySplunk,

using the guided procedure, check if the timestamp is correctly read because if you're using a date in european format (dd/mm/yyy), until the 11th of the month, Splunk read it in american format (mm/dd/yyy) and maybe your data were ingested but with the wrong timestamp.

You can check this searching your data with timestamp 01/12/2022 at the 12th of January 2022.

If this is the issue, you have to force the correct TIME_FORMAT in sourcetype.

Ciao.

Giuseppe

Re: Importing Event Logs

BabySplunk — Fri, 02 Dec 2022 15:45:49 GMT

I have it showing results now, but the table header tags that I typically use with my forwarded data is not matching up in the CSV import. For instance, I normally use "| table _time,Account_Name,Message,EventCode" but nothing matches from the CSV import. It reads as "Event ID" instead of EventCode and "EXTRA_FIELD_" instead of Message and "Account_Name" returns no results.