Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

WinEventLog

malonoisgustave
New Member
‎01-29-2021 11:05 PM

Hello Guys, 

 

First of all, Happy new year 🙂 

 

I have installed Splunk Entreprise Insights on a windows machines (win10 Server 2016/2019) and on Linux distro (ubuntu 20.04, 18.04) to try to get the Windows events log in my splunk instance. The Network, RAM, CPUs 's statments are working but the Windows Events log are not working ... Every time on all of the installs mentionned bellow i have this error in the Splunk web interface : 

---------------------------------------

Error in 'stats' command: The aggregation specifier 'first(Adresse' is invalid. The aggregation specifier must be in [func_name]([key]) format

---------------------------------------

 

I also try to add sources directly from the right PATH in the personnalized sources in  the splunk Web interface like : "C:\windows\system32\blablabla\Security.evtx" , but that's not working. I'm stuck and depressive, I'm trying to get all the logs on a Windows host (in Workgroup) and I'm admin (it's a fresh install, juste for trying !) 

 

Some "splunk guys" can help me please :'( :'( ? 

 

Thanks you all in advance !

Labels (2)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-30-2021 12:35 AM

Hi @malonoisgustave,

A happy new year too 🙂

First of all, the error you are getting on Splunk Web is not about data ingestion. It seems there is a typo on a search, missing parentheses closing on "first(Adresse", this should be something like first(Adresse) 

Regarding Windows event logs, you don't need to read them as files. Splunk can ingest directly from Event Channels. Please see the below document;

https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_Splunk_Web_t...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...