Getting Data In

Why are Windows event logs getting joined when setting the source to WinEventLog:xxxxxxx?



All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).  

On the syslog server we have the Splunk Heavy Forwarded installed and I have been forwarding the logs on to Splunk Indexer.

I'm trying to use the Windows TA Add-on and it requires the sourcetype to be WinEventLog and the source to be one of WinEventLog:Application, WinEventLog:Security or WinEventLog:System.

So in the inputs.conf on the heavy forwarder I added the lines to each input;




Now when I search in the search head I am seeing that 2 or 3 or 4 log entries are being grouped as 1 big entry.  I played around with the source/sourcetype fields and found that the problem is only there when the source starts with WinEventLog.

I found the [source::WinEventLog...] in props.conf and tried commenting it out partially or completely and it did not make any difference.  This was on the indexer and heavy forwarded in the /etc/system/local/props.conf.

Is there anyway to get Windows Event Logs in syslog format in to Splunk in a way that the Windows TA Addon will recognize?  The will eventually be feeding in to Security Essentials.


Thank you,


Labels (4)


I think I'm seeing essentially the same thing, though from a different route - I'm getting JSON data from NXLog and sending it to a tcp input.  Works fine until I set "source=WinEventLog:System" at which point I get multiple lines of json text as a single event.

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...