Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not indexing?

rockb
Explorer
‎09-19-2022 08:33 AM

I am trying to use Splunk to review windows logs that were exported from machines that are not on a network.  I have copied the .evtx files to my Splunk machine.

Fresh install of Splunk 9.0.1

Below is the process I used to try to get the events indexed.  I think this is the same process I have used in the past but for some reason no events are indexed.   

1. Settings --> New Index
2. Enter Name for index
3. Save
4. Settings --> Data Inputs
5. Files and Directories
6. New Local File and Directory
7. Input Path of top level folder containing logs
8. Select Continuously Monitor
9. Next
10. Source Type: Automatic
11. App Context: Search and reporting
12. Select Constant Value
13. Host field name:*
14. Select Index Created in steps 1- 3
15. Review
16. Start Searching

 

The search results in 0 events listed.  I delete everything from the search box except index="nameofindex" and still there are no events listed.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2022 10:18 AM

The sourcetype to use is 'wineventlog'.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2022 11:38 PM

Hi @rockb,

to ingest wineventlogs you have to use the wineventlog connector created by Splunk because windows eventlogs are encrypted.

As @richgalloway said you have to use a different input option: [Settings -- Data inputs -- Local event log Collection]  and automatically the correct sourcetype will associated to the logs: wineventlog:security, wineventlog:application, wineventlog:system.

My hint is to use a different approach:

  • downaload the Splunk TA_Windows from Splunkbase (https://splunkbase.splunk.com/app/742/),
  • copy the inputs.conf from the default to local folder,
  • enable the stanzas you need (disabled=0),
  • upload the App in your Splunk environment or deploy to your Splunk Forwarder.

In this way, you have a more organized data input.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2022 01:00 AM

evtx files are _not_ encrypted. You can move your files around and you can import them into another machine and whatnot. And you don't have to provide any secrets in doing so. So they are not encrypted. They are however encoded so they are not in a plain text format and are thus useless for direct importing with a monitor input.

One could try importing the files into event viewer and setting an Event Log input with the destination log name. Might work but I haven't tried it myself.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2022 09:38 AM

Splunk can't read Windows event logs using a monitor input.  The usual method is via a WinEventLog input, but that probably won't work with transferred files since WinEventLog expects to get data directly from the local Windows server.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2022 10:52 AM

I'm not sure but I think I read somewhere that splunk was able (at least some time ago) to read evt files (not sure about evtx). One caveat - it must have been a windows splunk version - it probably used some system library calls to process the file.

I'm not however sure if the possibility still exists since I haven't seen a windows-based splunk server for a loooooong time.

0 Karma
Reply
Solved! Jump to solution

rockb
Explorer
‎09-19-2022 09:50 AM

I have done this before.  I got everything set up and working then another employee took over the task.  They then moved and took the computer with them.  That employee recently moved to another position and UPS "lost" the computer, so I am now trying to get it set up on a new machine.  

I do remember when configuring the previous box I used WinEventLog somewhere in the process.  I thought it was in the Source Type under operating system but all I see there now is windows_snare_syslog and that does not seem to work either.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2022 10:18 AM

The sourcetype to use is 'wineventlog'.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rockb
Explorer
‎09-19-2022 11:02 AM

wineventlog was not found but that did get me there.

The correct string is "preprocess-winevt".

 

It is indexing now.  Thank you .

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...