Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingest old security.evtx files

sswigart
Explorer
Tuesday

I am running windows version of Splunk Enterprise 9.4.2 stand alone. I have 17 older security logs saved in a  separate folder. I want to ingest these logs into a new index and run queries on the ingested logs.  How can I do that? 

Labels (3)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Wednesday

Hi @sswigart 

I think you should be able to setup a monitor in inputs.conf but using the "preprocess-winevt" sourcetype, although I havent done this for some time.

#inputs.conf
[monitor://Path/To/Your/security.evxt]
index=yourNewIndex
sourcetype=preprocess-winevt

Also check out https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain...for more info on this approach.

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...