Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Index Windows log evtx

kalianov
Path Finder
‎03-01-2017 07:07 AM

Hi guys!
I have a free Splunk server which installed on Windows 2012 and
I want to index and analyze Security.evtx file, which I download from remote user's PC (Windows7).
I tried to add this stanzas to index.conf and reboot splunk server, but no information were indexed:
I can't use forwarder, it's a one-time need.
Var1
[WinEventLog://C:\temp\Security.evtx]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

Var2: If I open my "Security.evtx" file in Event Viewer, it's opened in "Saved Logs-Security" tree thats why I tried this:
[WinEventLog://Saved Logs/Security]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

No results.

Tags (2)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-01-2017 07:28 AM

You have to open the event log in your event viewer on your local machine and then export it as csv and then you can use the add data wizard in Splunk.

Reply

kalianov
Path Finder
‎03-01-2017 11:12 PM

Thanks for your advice. This is the right solution, but the task is to do it without conversion.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-02-2017 05:07 AM

You can't. You either put a forwarder on the machine to read the data where it is being generated, pull the data from another windows machine running Splunk via WMI input, or you do the conversion.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...