Hello all! I am brand new to Splunk and have learned quite a bit so far from this forum, so thank you! With that being said, I am currently trying to import event logs from another system to scan on my local instance of Splunk. I've tried moving the EVTX files into my winevt directory, but that didn't work. I'm getting very frustrated and any help would be appreciated.
-BabySplunk
Hi @BabySplunk,
EVTX are encrypted, you need to use the connector that Splunk developed and it's in the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742).
For more infos you can see at https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Usingforwardingagents and https://www.splunk.com/en_us/resources/videos/getting-data-into-windows.html
You can also find many interesting videos in the Splunk YouTube Channel.
Ciao.
Giuseppe
I decided to convert them to CSV to make it a bit easier. I followed the video you linked, but now I'm getting no results returned via search.
Here's my search string:
source="filename.csv" sourcetype="csv" | search EventCode=4624 | table _time, Account_Name, Message
Hi @BabySplunk,
at first use always the index value in searches because you index could not be in the default path and probably this is your issue.
then check the EventCode field: field names in Splunk are Case sensitive.
Then you don't need to use the search command, put the search conditons as left as possible:
index=your_index source="filename.csv" sourcetype="csv" EventCode=4624
| table _time Account_Name Message
Ciao.
Giuseppe
Thanks for your help, but I'm still returning no results.
The index is titled "main"
Hi @BabySplunk,
it isn't a best prectice to use the default index "main"!
Anyway, how did you ingested these files?
Ciao.
Giuseppe
I did a one-time upload via the SplunkEnterprise webpage and followed the wizard.
Hi @BabySplunk,
at the end of the guided procedure, you can search Data, have you results?
ciao.
Giuseppe
No results.
Hi @BabySplunk,
this means that the ingestion procedure failed and you didn't uploaded your data.
During the guided procedure, you can check the timestamp recognition and the fields recognition, do you correctly see them?
Ciao.
Giuseppe.
Yes, I see them and my data is now populating but when I complete the upload and attempt a search, I'm still getting "no results found".
Hi @BabySplunk,
using the guided procedure, check if the timestamp is correctly read because if you're using a date in european format (dd/mm/yyy), until the 11th of the month, Splunk read it in american format (mm/dd/yyy) and maybe your data were ingested but with the wrong timestamp.
You can check this searching your data with timestamp 01/12/2022 at the 12th of January 2022.
If this is the issue, you have to force the correct TIME_FORMAT in sourcetype.
Ciao.
Giuseppe
I have it showing results now, but the table header tags that I typically use with my forwarded data is not matching up in the CSV import. For instance, I normally use "| table _time,Account_Name,Message,EventCode" but nothing matches from the CSV import. It reads as "Event ID" instead of EventCode and "EXTRA_FIELD_" instead of Message and "Account_Name" returns no results.
Check the time range of your search. If you import data from the past you might be simply searching over wrong time range which by default is some time "backwards" from now (like last 24h).