Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to index .evt(x) files exported from a Windows...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marycordova
SplunkTrust
04-18-2019
03:38 PM
Problem statement: Windows .evt(x) files need to be indexed but the system the files originated from is no longer operational and the normal methods for gathering Windows event logs will not work; Universal Forwarder, WEF, etc
@marycordova
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marycordova
SplunkTrust
04-18-2019
03:44 PM
Solution: custom app incident_response
- Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
- custom app with bin, local, and metadata directories and a README file
- batch script to covert files from .evt(x) to .txt
- input to ingest and index .txt files
- props for event breaking, field extraction, etc
Directories structure:
$SPLUNK_HOME/etc/apps/incident_response/
README.txt
/bin/convevt.bat
/local/app.conf
/local/inputs.conf
/local/props.conf
/metadata/local.meta
convevt.bat (pardon my windows...I'm better in *nix!):
REM declare directory to event logs without trailing "\"
REM set evtlogs="D:\directory\to\logs"
set evtlogs="D:\ticket-123456\Logs"
forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"
app.conf:
[install]
state = enabled
inputs.conf:
# declare directory to event logs in "incident_response\bin\convevt.bat"
# enable script input
[script://.\bin\convevt.bat]
index = main
sourcetype = script:output
interval = -1
#disabled = 0
disabled = 1
# declare directory to event logs with trailing "\*.txt"
# declare hostname
#[monitor://D:\directory\to\logs\*.txt]
[monitor://D:\ticket-123456\Logs\*.txt]
index = incident
sourcetype = wevtutil:txt
host = hostname
disabled = 0
# resart splunk
# after first run disable script input and restart splunk
props.conf:
[wevtutil:txt]
ANNOTATE_PUNCT = false
LINE_BREAKER = (Event\[\d+\]\:)
SHOULD_LINEMERGE = false
ADD_EXTRA_TIME_FIELDS = false
TIME_PREFIX = Date\:\s+
MAX_DAYS_AGO = 10951
KV_MODE = none
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+)
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+)
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+)
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+)
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+)
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+)
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+)
################################
###ADD CUSTOM EXRACTIONS HERE###
################################
#EXTRACT-wevtutil_# = regex
local.meta:
[]
access = read : [ * ], write : [ admin ]
export = system
README.txt:
1 - declare directory to event logs in "bin\convevt.bat"
2 - enable script input in "local\inputs.conf"
3 - declare directory to event logs in "local\inputs.conf"
4 - declare hostname in "local\inputs.conf"
5 - restart splunk
6 - after first run disable script input and restart splunk
@marycordova
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marycordova
SplunkTrust
04-18-2019
03:44 PM
Solution: custom app incident_response
- Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
- custom app with bin, local, and metadata directories and a README file
- batch script to covert files from .evt(x) to .txt
- input to ingest and index .txt files
- props for event breaking, field extraction, etc
Directories structure:
$SPLUNK_HOME/etc/apps/incident_response/
README.txt
/bin/convevt.bat
/local/app.conf
/local/inputs.conf
/local/props.conf
/metadata/local.meta
convevt.bat (pardon my windows...I'm better in *nix!):
REM declare directory to event logs without trailing "\"
REM set evtlogs="D:\directory\to\logs"
set evtlogs="D:\ticket-123456\Logs"
forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"
app.conf:
[install]
state = enabled
inputs.conf:
# declare directory to event logs in "incident_response\bin\convevt.bat"
# enable script input
[script://.\bin\convevt.bat]
index = main
sourcetype = script:output
interval = -1
#disabled = 0
disabled = 1
# declare directory to event logs with trailing "\*.txt"
# declare hostname
#[monitor://D:\directory\to\logs\*.txt]
[monitor://D:\ticket-123456\Logs\*.txt]
index = incident
sourcetype = wevtutil:txt
host = hostname
disabled = 0
# resart splunk
# after first run disable script input and restart splunk
props.conf:
[wevtutil:txt]
ANNOTATE_PUNCT = false
LINE_BREAKER = (Event\[\d+\]\:)
SHOULD_LINEMERGE = false
ADD_EXTRA_TIME_FIELDS = false
TIME_PREFIX = Date\:\s+
MAX_DAYS_AGO = 10951
KV_MODE = none
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+)
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+)
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+)
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+)
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+)
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+)
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+)
################################
###ADD CUSTOM EXRACTIONS HERE###
################################
#EXTRACT-wevtutil_# = regex
local.meta:
[]
access = read : [ * ], write : [ admin ]
export = system
README.txt:
1 - declare directory to event logs in "bin\convevt.bat"
2 - enable script input in "local\inputs.conf"
3 - declare directory to event logs in "local\inputs.conf"
4 - declare hostname in "local\inputs.conf"
5 - restart splunk
6 - after first run disable script input and restart splunk
@marycordova
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Cisco Live 2026 is almost here, and this ...
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Hello Splunkers,
So you searched, “what is the name of the usb key inserted by bob smith?”
Not gonna lie… ...
Automating Threat Operations and Threat Hunting with Recorded Future
Automating Threat Operations and Threat Hunting
with Recorded Future
June 29, 2026 | Register
Is your ...
