All Apps and Add-ons


Path Finder

How does splunk-wineventlog.exe know how to find the Event Logs on a server? We have an inputs.conf file which looks like this, but I am not understanding how Splunk finds the logs. Thank you.

OS Logs

disabled = 0
current_only = 0
checkpointInterval = 5
index = windows

0 Karma

Path Finder

Thank you for the explanation and code snippet.

0 Karma


The handler does not need to know where the file is because the handler does not interact directly with the underlying log files. You simply need to enter the log name in the input spec.

I don't trust myself to type in long log names so I use a powershell script to get those names into my clipboard.

(Get-WinEvent -ListLog "*" -ErrorAction SilentlyContinue | ?{$_.LogName -match "Application"}).LogName | clip

The WinEventLog hanlder makes similar API calls to the EventLog provider in Windows which does all the work of correlating message IDs in the actual log file to messageStrings expressed in the language that matches your localization preferences.

Here is one of my code projects to try and explore the schema of all possible logs. Not sure if the code is stable at this point because I tried to handle classic log type which required lower level programming than I was comfortable with.

This code project also looks really interesting if you are looking to interact with log files seized from offline computers

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...