Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forwarding Saved Windows Events

ashishv
Explorer
‎01-28-2011 09:46 PM

i have a windows splunk forwarder config'd to forward all local Events logs; i have a event log from another server that i imported on this machine and want splunk forwarder to send this log events to splunk server...

is this achievable? if yes, How?

what are some of the best practices to import Windows Events log for a particular Windows Event ID?

thanks Ashish

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎01-31-2011 11:30 PM

The simple answer is that setting splunk to monitor the specific path should work. If that is not working for you, then I recommend working with splunk support to resolve the problem.

0 Karma
Reply
Solved! Jump to solution

ashishv
Explorer
‎01-31-2011 03:36 PM

splunk monitor is on Windows 7, Event logs are from Win2008 servers. when i try to import these evtx logs, it gives me the following error:

"Your entry was not saved. The following error was reported: SyntaxError: Unexpected token <"

Ashish

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...