Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Eventlogs (Extract RAW from one splunk and import to another)

PatrikL
Observer
‎03-06-2024 03:39 AM

We are currently changing our splunk server to a new one and during the change there was a mix up and we got data sent to the old instance (about 12h worth) which we would like to transfer to our new splunk instance.

My thought was to do a search on the old one and then export the results, when I do this as a RAW format and then import it to the new one the data looks good but the field extracts for WinEventLog is not applied as it should (even tho I use the same Event type) how can I solve this?

I've also tried to export it as xml, json, csv but the data looks worse than using RAW

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-06-2024 04:18 AM

Hi @PatrikL,

you should extract WinEventLog row data by sourcetype, source and host and then import in the new system manually using these values.

Ciao.

Giuseppe

0 Karma
Reply

PatrikL
Observer
‎03-06-2024 04:21 AM

Thanks for the reply, could you please provide an example? I'm not quite understanding what you mean? should I add sourcetype, source and host to the search before export?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-06-2024 04:53 AM

Hi @PatrikL,

you have to list the hosts for each sourcetype and source and then extract datarunning a simple search e.g.:

index=winwvwntlog sourcetype=xmlwineventlog source=WinEventLog:Security host=host1

and then manually load it  (using the Add Data Featrure) and using the above fields.

You could eventually save the files using the with the host name as folder and then use an automatic assignment of the host.

But anyway, it's a long job.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...