Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WinEventLog

malonoisgustave
New Member
‎01-29-2021 11:05 PM

Hello Guys, 

 

First of all, Happy new year 🙂 

 

I have installed Splunk Entreprise Insights on a windows machines (win10 Server 2016/2019) and on Linux distro (ubuntu 20.04, 18.04) to try to get the Windows events log in my splunk instance. The Network, RAM, CPUs 's statments are working but the Windows Events log are not working ... Every time on all of the installs mentionned bellow i have this error in the Splunk web interface : 

---------------------------------------

Error in 'stats' command: The aggregation specifier 'first(Adresse' is invalid. The aggregation specifier must be in [func_name]([key]) format

---------------------------------------

 

I also try to add sources directly from the right PATH in the personnalized sources in  the splunk Web interface like : "C:\windows\system32\blablabla\Security.evtx" , but that's not working. I'm stuck and depressive, I'm trying to get all the logs on a Windows host (in Workgroup) and I'm admin (it's a fresh install, juste for trying !) 

 

Some "splunk guys" can help me please :'( :'( ? 

 

Thanks you all in advance !

Labels (2)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-30-2021 12:35 AM

Hi @malonoisgustave,

A happy new year too 🙂

First of all, the error you are getting on Splunk Web is not about data ingestion. It seems there is a typo on a search, missing parentheses closing on "first(Adresse", this should be something like first(Adresse) 

Regarding Windows event logs, you don't need to read them as files. Splunk can ingest directly from Event Channels. Please see the below document;

https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_Splunk_Web_t...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...