I'm new to Splunk.
I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.
Can anyone explain why, or know the raw data size to index size is?
Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.
Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the Splunk_TA_windows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.
The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the Splunk_TA_windows to decode the events and populate the common fields.