Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

sourcetype for windows event logs

mikefoti
Communicator
‎12-30-2011 05:55 AM

This question deals with identifying fields within events from a windows event log (i.e. the Application, System or Security log) manually exported from the windows EventVwr.

I know I can use a Splunk Universal Forwarder to monitor the logs and forward events for indexing as they occur… but in this case I need to troubleshoot a system that is not forwarding events. So I manually export, for example, the System event log. In doing so I have 3 options. I may export a log and save it as a .evt, a .csv or a .txt file. For testing, I have exported it in all 3 formats. I then used the Splunk UI to Add Inputs. First, when selecting the “sourcetype” I selected Automatic. I then selected From List, and tested csv, csv-2, csv-3, syslog and Log4J. My best results came when indexing the .Txt file using either sourcetype Automatic or Log4J…. but I was surprised to find that none of the combinations automatically identified the windows event Source, Type, Category or event EventID, etc.

So I guess I have 2 questions:

1.What happens behind the scenes when I select from the various sourcetypes available on the Data Inputs screen?
2.Is there a tried and true method for automatically indentifying these basic windows event log fields so next week, when troubleshooting another windows system, I won’t have to re-extract these basic fields?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...