I'm new to Splunk.
I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.
Can anyone explain why, or know the raw data size to index size is?
Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.
Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the Splunk_TA_windows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.
Thanks for the info on the EVTX components..
Can you elaborate on WinXMLEventlog:channel? Is this defined as part of an Add On?
The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the Splunk_TA_windows to decode the events and populate the common fields.