Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

WinEventLog

malonoisgustave
New Member
‎01-29-2021 11:05 PM

Hello Guys, 

 

First of all, Happy new year 🙂 

 

I have installed Splunk Entreprise Insights on a windows machines (win10 Server 2016/2019) and on Linux distro (ubuntu 20.04, 18.04) to try to get the Windows events log in my splunk instance. The Network, RAM, CPUs 's statments are working but the Windows Events log are not working ... Every time on all of the installs mentionned bellow i have this error in the Splunk web interface : 

---------------------------------------

Error in 'stats' command: The aggregation specifier 'first(Adresse' is invalid. The aggregation specifier must be in [func_name]([key]) format

---------------------------------------

 

I also try to add sources directly from the right PATH in the personnalized sources in  the splunk Web interface like : "C:\windows\system32\blablabla\Security.evtx" , but that's not working. I'm stuck and depressive, I'm trying to get all the logs on a Windows host (in Workgroup) and I'm admin (it's a fresh install, juste for trying !) 

 

Some "splunk guys" can help me please :'( :'( ? 

 

Thanks you all in advance !

Labels (2)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-30-2021 12:35 AM

Hi @malonoisgustave,

A happy new year too 🙂

First of all, the error you are getting on Splunk Web is not about data ingestion. It seems there is a typo on a search, missing parentheses closing on "first(Adresse", this should be something like first(Adresse) 

Regarding Windows event logs, you don't need to read them as files. Splunk can ingest directly from Event Channels. Please see the below document;

https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_Splunk_Web_t...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...