cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
arechenberg
Explorer
Member since: ‎08-15-2016
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 3
Karma Received 2
Member Since ‎08-15-2016
Activity Feed
View All

Re: How to index exported .evt and .evtx files?

by in Archive
‎08-21-2017 03:09 PM
2 Karma
‎08-21-2017 03:09 PM
2 Karma
This answer assumes that Splunk is running on the same machine as the Windows log files. I believe the intent of the question was how to index *.evtx files that have been exported from a machine as files and then import them into a different machine running Splunk. I would like to know an answer to this question as well. Having a similar problem - I upload the evtx file, file recognized by Splunk as preprocess-winevt , complete the import but no data is indexed by Splunk, or very old events (e.g. events from November 2016) are indexed. Any help is much appreciated, Andy ... View more

Re: What is the best practice for collecting Windo...

by in Getting Data In
‎02-12-2017 03:01 PM
‎02-12-2017 03:01 PM
Thanks for the reply adauria. Your response somewhat answers my question. One clarification, since WMI can be executed locally by the Splunk Universal Forwarder, my question leans more toward a performance best practice for collecting local event log data. The original subject of the query was more along those lines however a Splunk moderator changed the subject so it doesn't really reflect the type of information for which I'm looking. Basically, is the WinEventLog method of collecting event logs more or less efficient (in terms of system overhead) than using WMI and event_log_file Thanks again ... View more

Re: What is the best practice for collecting Windo...

by in Getting Data In
‎01-30-2017 10:10 AM
‎01-30-2017 10:10 AM
Thanks for the response Giuseppe. Are you able to provide rationale for preferring this method over WMI? ... View more

What is the best practice for collecting Windows E...

by in Getting Data In
‎01-30-2017 09:08 AM
‎01-30-2017 09:08 AM
Windows event logs can be gathered both via WinEventLog in inputs.conf and also via WMI and event_log_file in wmi.conf Does anyone have a best practice for collecting Windows event logs? Which method incurs more of an overhead on the system? Thanks in advance. Cheers, Andy ... View more

Re: Splunk parsing day of year incorrectly?

by in Splunk Enterprise
‎08-24-2016 08:17 AM
‎08-24-2016 08:17 AM
Thanks for the reply Lisa. That was indeed the issue. I added the year in front as such: 2016/231/06:00:00 Splunk then parsed the timestamp as expected. Thanks again! ... View more

Splunk parsing day of year incorrectly?

by in Splunk Enterprise
‎08-15-2016 10:31 AM
‎08-15-2016 10:31 AM
Good day. I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly. My data has a column called 'Start Time' with values such as 222/06:00:00 I have specified the timestamp fields as Start Time and the Timestamp format as %j/%H:%M:%S Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016). I have tested this conversion by editing my CSV so that one of the rows has 001/06:05:04 , which should parse to 01/01/2016 06:05:04.000 but instead parses to 08/15/2016 06:05:04.000 I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same. Is this a problem with my data or with the way Splunk is parsing the day of year value? Thanks, Andy ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to