Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ingesting offline Windows Event logs from different systems

KP3
Engager
‎07-06-2023 01:47 AM

I am trying to use a Universal Forwarder to get a load of windows event logs that I need to analyse into Splunk. The event logs are from about 7 different systems and are all located on my local laptop in a folder. 

I have tried adding the folder into the inputs.conf file and setting the sourcetype to WinEventLog, but once the data is in, the individual events are not being extracted. Rather the entire file is being passed as one event and all I can see are the headers for each Event Log. 

Is someone able to help me with this please? 

I should probably state that I am using a Splunk Cloud instance and do not have a deployment server - I need to go straight from my laptop to the Splunk Cloud instance. 

Thanks

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2023 01:57 AM

Hi

If I understood right you have those events on .evxt files? Is so you should create separate inputs.conf for those. There are couple of posts where this has explained

Key word seems to be sourcetype="preprocess-winevt".

If you have those files on linux there is some additional tools which your are needing to read/index correctly into splunk.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2023 01:57 AM

Hi

If I understood right you have those events on .evxt files? Is so you should create separate inputs.conf for those. There are couple of posts where this has explained

Key word seems to be sourcetype="preprocess-winevt".

If you have those files on linux there is some additional tools which your are needing to read/index correctly into splunk.

r. Ismo

Reply
Solved! Jump to solution

KP3
Engager
‎07-06-2023 08:22 AM

Thank you! That has worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...