Installation
Highlighted

Why does 200 MG of .EVTX files uploaded into Splunk exceed the 1 GB limit on license?

New Member

I'm new to Splunk.

I have a folder with windows Eventlog files that we want to feed into splunk. I have less than 200 MB of files on the disk but when splunk imports it my index usage hits 1 GB, which causes a license violation.

Can anyone explain why, or know the raw data size to index size is?

Labels (1)
0 Karma
Highlighted

Re: 200 Meg of .EVTX files uploaded into splunk exceeds 1 GB limit on license. Can anyone explain why?

Splunk Employee
Splunk Employee

Windows Event Logs are two parts - an XML component (stored potentially compressed in the EVTX file) and the Message (stored in a DLL). Splunk puts these together to create the standard Windows Event Logs. You get a decoded event which is the XML + Message, hence the ballooning storage.

Rename the .EVTX file to .XML and import, setting the sourcetype to WinXmlEventLog:channel and the event separator appropriately (I think it's ) and the event will be stored in Splunk in XML. In addition, if your events are from the Security channel, the SplunkTAwindows will decode them in a CIM compliant manner, allowing you to use them in all the CIM data models that they are appropriate to.

Highlighted

Re: 200 Meg of .EVTX files uploaded into splunk exceeds 1 GB limit on license. Can anyone explain why?

New Member

Thanks for the info on the EVTX components..

Can you elaborate on WinXMLEventlog:channel? Is this defined as part of an Add On?

0 Karma
Highlighted

Re: 200 Meg of .EVTX files uploaded into splunk exceeds 1 GB limit on license. Can anyone explain why?

Splunk Employee
Splunk Employee

The WinXmlEventLog:channel is a sourcetype. If your Channel field in the event logs is, for example, Security, then you would set the source type to WinXmlEventLog:Security - this allows the SplunkTAwindows to decode the events and populate the common fields.

0 Karma