Re: Getting Data into Splunk

rockb · ‎05-11-2021

I just installed splunk and imported my license.

I have a series of Windows event viewer files that have been exported that I want to import.

I have tried the following:

Settings --> Add Data
Upload Files From My computer
Select the file. It reads the file.
Next
Select Preprocess-winevt
Next
Review
Submit
Start Searching

No events are shown.

What am I doing wrong?

rockb · ‎05-12-2021

I figured it out. After the process is complete the Search window has host="xxxx" and sourcetype="preprocess-winevt".

If I delete host="xxxx" and sourcetype="preprocess-winevt". events are shown.

kamlesh_vaghela · ‎05-11-2021

@rockb

I hope checked in all time range and playing with search also.

Just guessing the reason and I doubt on retention period of Index. Just check the possible _time of indexed event and index retention period.

rockb · ‎05-11-2021

kamlesh,

I think you are saying to make sure that I am specifying to show all events not just events in a specific time period. I did not select any time period and if I understand the interface correctly it is saying it sees no events prior to today at 10:52 There are 8198 events listed when I open the evtx file in Windows event viewer.

Getting Data into Splunk

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor