Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Why does 200 MG of .EVTX files uploaded into Splunk exceed the 1 GB limit on license?

dbousquin
New Member
โ€Ž10-07-2014 10:35 AM

I'm new to Splunk.

I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.

Can anyone explain why, or know the raw data size to index size is?

Labels (1)
Labels
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
โ€Ž10-07-2014 07:13 PM

Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.

Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the Splunk_TA_windows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.

Reply

dbousquin
New Member
โ€Ž10-08-2014 08:16 AM

Thanks for the info on the EVTX components..

Can you elaborate on WinXMLEventlog:channel? Is this defined as part of an Add On?

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
โ€Ž10-08-2014 10:15 PM

The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the Splunk_TA_windows to decode the events and populate the common fields.

0 Karma
Reply