Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sourcetype for windows event logs

mikefoti
Communicator
‎12-30-2011 05:55 AM

This question deals with identifying fields within events from a windows event log (i.e. the Application, System or Security log) manually exported from the windows EventVwr.

I know I can use a Splunk Universal Forwarder to monitor the logs and forward events for indexing as they occur… but in this case I need to troubleshoot a system that is not forwarding events. So I manually export, for example, the System event log. In doing so I have 3 options. I may export a log and save it as a .evt, a .csv or a .txt file. For testing, I have exported it in all 3 formats. I then used the Splunk UI to Add Inputs. First, when selecting the “sourcetype” I selected Automatic. I then selected From List, and tested csv, csv-2, csv-3, syslog and Log4J. My best results came when indexing the .Txt file using either sourcetype Automatic or Log4J…. but I was surprised to find that none of the combinations automatically identified the windows event Source, Type, Category or event EventID, etc.

So I guess I have 2 questions:

1.What happens behind the scenes when I select from the various sourcetypes available on the Data Inputs screen?
2.Is there a tried and true method for automatically indentifying these basic windows event log fields so next week, when troubleshooting another windows system, I won’t have to re-extract these basic fields?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...