Solved: Splunk Add-On for Windows

pc1 · ‎08-17-2021

I have the Splunk Add-On for Windows installed on my deployment server in order to help collect data from my windows machines (forwarders). However, when the data comes in - it is all condensed down into a block and more or less unreadable. The entries from it have the tags like <Event>, <System>, etc but it isn't spaced out at all and bunched together. Was curious if anyone knows how to make the data from this add-on look like how all other data usually comes into splunk - spaced out and indented and more readable to the human eye essentially. Not sure if this would be a splunk configuration or a configuration that has to be done specifically to my Windows Add-On settings on my deployment server. Thanks!

scelikok · ‎08-17-2021

Windows logs are being ingested as XML in default configuration. You can update

renderXml=0

in your inputs to get the events as text which is easier to read.

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok · ‎08-17-2021

Windows logs are being ingested as XML in default configuration. You can update

renderXml=0

in your inputs to get the events as text which is easier to read.

If this reply helps you an upvote is appreciated.

View solution in original post

pc1 · ‎08-18-2021

I set renderXml=false instead of 0 which is more or less the same thing but just for anyone else who might come across this thread

Splunk Add-On for Windows

universal forwarder

Windows

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Splunk Add-On for Windows

universal forwarder

Windows

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>