Index EVTX files on Splunk running on non-Windows ...

miteshvohra · ‎04-12-2013

I am running Splunk for Mac (Darwin) on my laptop. I have received handful of EVTX files for analysis from a project team trying to visualize events captured in these event files. I understand that, EVTX files requires Windows APIs and DLLs to index or run Splunk on Windows to index them correctly.

However, is there a workaround to get these EVTX files indexed on Splunk instance running on Mac?

Please suggest.

kristian_kolb · ‎04-12-2013

I think you'll need to get them to give you the information you need.

Install an agent on the windows machine capable of producing 'correct' events. Splunk Universal Forwarder is very good, Snare might also work.

If that for some reason is not possible, they might have some luck with LogParser.

http://en.wikipedia.org/wiki/Logparser
http://technet.microsoft.com/en-us/library/ee692937.aspx

Not really familiar with that tool, though.

/K

miteshvohra · ‎04-21-2013

Noted. Have asked them to setup Free lic of Splunk. Have offered them remote assistance once they are ready.

kristian_kolb · ‎04-16-2013

tell the project team to redo it. they can't expect you to do a proper analysis with deficient data.

miteshvohra · ‎04-14-2013

Hi Kristian, Thanks for the help.

Unfortunately, I have received the EVTX files as email attachments.

Index EVTX files on Splunk running on non-Windows box

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life