All Apps and Add-ons


Path Finder

How does splunk-wineventlog.exe know how to find the Event Logs on a server? We have an inputs.conf file which looks like this, but I am not understanding how Splunk finds the logs. Thank you.

OS Logs

disabled = 0
current_only = 0
checkpointInterval = 5
index = windows

0 Karma

Path Finder

Thank you for the explanation and code snippet.

0 Karma


The handler does not need to know where the file is because the handler does not interact directly with the underlying log files. You simply need to enter the log name in the input spec.

I don't trust myself to type in long log names so I use a powershell script to get those names into my clipboard.

(Get-WinEvent -ListLog "*" -ErrorAction SilentlyContinue | ?{$_.LogName -match "Application"}).LogName | clip

The WinEventLog hanlder makes similar API calls to the EventLog provider in Windows which does all the work of correlating message IDs in the actual log file to messageStrings expressed in the language that matches your localization preferences.

Here is one of my code projects to try and explore the schema of all possible logs. Not sure if the code is stable at this point because I tried to handle classic log type which required lower level programming than I was comfortable with.

This code project also looks really interesting if you are looking to interact with log files seized from offline computers

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...