Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sourcetype for windows event logs

mikefoti
Communicator
‎12-30-2011 05:55 AM

This question deals with identifying fields within events from a windows event log (i.e. the Application, System or Security log) manually exported from the windows EventVwr.

I know I can use a Splunk Universal Forwarder to monitor the logs and forward events for indexing as they occur… but in this case I need to troubleshoot a system that is not forwarding events. So I manually export, for example, the System event log. In doing so I have 3 options. I may export a log and save it as a .evt, a .csv or a .txt file. For testing, I have exported it in all 3 formats. I then used the Splunk UI to Add Inputs. First, when selecting the “sourcetype” I selected Automatic. I then selected From List, and tested csv, csv-2, csv-3, syslog and Log4J. My best results came when indexing the .Txt file using either sourcetype Automatic or Log4J…. but I was surprised to find that none of the combinations automatically identified the windows event Source, Type, Category or event EventID, etc.

So I guess I have 2 questions:

1.What happens behind the scenes when I select from the various sourcetypes available on the Data Inputs screen?
2.Is there a tried and true method for automatically indentifying these basic windows event log fields so next week, when troubleshooting another windows system, I won’t have to re-extract these basic fields?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎12-30-2011 01:37 PM

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...