Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does 200 MG of .EVTX files uploaded into Splunk exceed the 1 GB limit on license?

dbousquin
New Member
‎10-07-2014 10:35 AM

I'm new to Splunk.

I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.

Can anyone explain why, or know the raw data size to index size is?

Labels (1)
Labels
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-07-2014 07:13 PM

Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.

Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the Splunk_TA_windows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.

Reply

dbousquin
New Member
‎10-08-2014 08:16 AM

Thanks for the info on the EVTX components..

Can you elaborate on WinXMLEventlog:channel? Is this defined as part of an Add On?

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-08-2014 10:15 PM

The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the Splunk_TA_windows to decode the events and populate the common fields.

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...