Hi @sswigart  I think you should be able to setup a monitor in inputs.conf but using the "preprocess-winevt" sourcetype, although I havent done this for some time. #inputs.conf [monitor://Path/To/Your/security.evxt] index=yourNewIndex sourcetype=preprocess-winevt Also check out https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557631 for more info on this approach. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

I am using the Splunk  Add-on for Microsoft Windows. The inputs.conf files on the hosts are located in: C:\SplunkUF\etc\apps\Splunk_TA_windows\local\inputs.conf ... View more

Thank you for your advice!   ... View more

Actually, you can blacklist by eventcodes or by regex. (and with a caveat that if you use renderXml=true, you have to specify blacklist differently). ... View more

Try removing the quotes from the file path. Check splunkd.log for errors relating to that input. ... View more

Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Ciao. Giuseppe ... View more

Thank you! ... View more

My example was XML for use in a classic dashboard - so if you take the entire XML below and create a new dashboard and paste in this into the source. <dashboard version="1.1"> <row> <panel> <table> <title>Turning the Time column red if outside hours 18:00 to 06:00</title> <search> <query> index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="timestamp"> <colorPalette type="expression">if(tonumber(substr(value,12,2))&gt;=18 OR tonumber(substr(value,12,2))&lt;6, "#FF0000", "#FFFFFF")</colorPalette> </format> </table> </panel> </row> </dashboard> This is what an XML dashboard looks like. You can see your search in the <search> section and the <format> section is what defines your colours and testing the time range. That documentation for the format is here https://docs.splunk.com/Documentation/Splunk/9.1.0/Viz/TableFormatsXML   ... View more

Hi @sswigart, you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time. Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes. Ciao. Giuseppe ... View more

Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps ... View more