Ingest old security.evtx files

sswigart · ‎09-23-2025

I am running windows version of Splunk Enterprise 9.4.2 stand alone. I have 17 older security logs saved in a separate folder. I want to ingest these logs into a new index and run queries on the ingested logs. How can I do that?

livehybrid · ‎09-24-2025

Hi @sswigart

I think you should be able to setup a monitor in inputs.conf but using the "preprocess-winevt" sourcetype, although I havent done this for some time.

#inputs.conf
[monitor://Path/To/Your/security.evxt]
index=yourNewIndex
sourcetype=preprocess-winevt

Also check out https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain...for more info on this approach.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Ingest old security.evtx files

data

index

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Ingest old security.evtx files

data

index

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability