@sswigart btw interesting scenario. This is not a comprehensive solution and providing some guidance on how to proceed in this case. As we do in any migration, firstly, ensure we have a fallback mechanism. In this case, keep the Windows Splunk server intact until the Linux migration is fully validated. This gives you a fallback if anything goes wrong. Secondly, since the environment is air gapped, you can use offline media (external drives, SSDs) for data transfer. Copy the entire Splunk db directory (all hot, warm, and cold buckets) from Windows to Linux. Make sure to stop Splunk service before copying to avoid partial buckets. Thirdly, you need to adjust Configurations - both system/local and app configurations. Also path changes like from C:\... to /opt/splunk/… for linux. On Linux, ensure directories are owned by the splunk user. Use the below command. chown -R splunk:splunk /opt/splunk/ Ensure version alignment, run the same Splunk Enterprise version on both Windows and Linux during migration. Validate disk space and filesystem compatibility (NTFS to ext4/xfs). Audit index names and configs for consistent casing to avoid mismatches since Linux is case‑sensitive. >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

Thanks PickleRick!   ... View more

Hi @sswigart  I think you should be able to setup a monitor in inputs.conf but using the "preprocess-winevt" sourcetype, although I havent done this for some time. #inputs.conf [monitor://Path/To/Your/security.evxt] index=yourNewIndex sourcetype=preprocess-winevt Also check out https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557631 for more info on this approach. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

I am using the Splunk  Add-on for Microsoft Windows. The inputs.conf files on the hosts are located in: C:\SplunkUF\etc\apps\Splunk_TA_windows\local\inputs.conf ... View more

Thank you for your advice!   ... View more

Actually, you can blacklist by eventcodes or by regex. (and with a caveat that if you use renderXml=true, you have to specify blacklist differently). ... View more

Try removing the quotes from the file path. Check splunkd.log for errors relating to that input. ... View more

Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Ciao. Giuseppe ... View more

Thank you! ... View more

My example was XML for use in a classic dashboard - so if you take the entire XML below and create a new dashboard and paste in this into the source. <dashboard version="1.1"> <row> <panel> <table> <title>Turning the Time column red if outside hours 18:00 to 06:00</title> <search> <query> index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="timestamp"> <colorPalette type="expression">if(tonumber(substr(value,12,2))&gt;=18 OR tonumber(substr(value,12,2))&lt;6, "#FF0000", "#FFFFFF")</colorPalette> </format> </table> </panel> </row> </dashboard> This is what an XML dashboard looks like. You can see your search in the <search> section and the <format> section is what defines your colours and testing the time range. That documentation for the format is here https://docs.splunk.com/Documentation/Splunk/9.1.0/Viz/TableFormatsXML   ... View more

Hi @sswigart, you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time. Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes. Ciao. Giuseppe ... View more

Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps ... View more