Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does 200 MG of .EVTX files uploaded into Splunk exceed the 1 GB limit on license?

dbousquin
New Member
‎10-07-2014 10:35 AM

I'm new to Splunk.

I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.

Can anyone explain why, or know the raw data size to index size is?

Labels (1)
Labels
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-07-2014 07:13 PM

Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.

Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the Splunk_TA_windows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.

Reply

dbousquin
New Member
‎10-08-2014 08:16 AM

Thanks for the info on the EVTX components..

Can you elaborate on WinXMLEventlog:channel? Is this defined as part of an Add On?

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-08-2014 10:15 PM

The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the Splunk_TA_windows to decode the events and populate the common fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...