Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding Saved Windows Events

ashishv
Explorer
‎01-28-2011 09:46 PM

i have a windows splunk forwarder config'd to forward all local Events logs; i have a event log from another server that i imported on this machine and want splunk forwarder to send this log events to splunk server...

is this achievable? if yes, How?

what are some of the best practices to import Windows Events log for a particular Windows Event ID?

thanks Ashish

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎01-31-2011 11:30 PM

The simple answer is that setting splunk to monitor the specific path should work. If that is not working for you, then I recommend working with splunk support to resolve the problem.

0 Karma
Reply
Solved! Jump to solution

ashishv
Explorer
‎01-31-2011 03:36 PM

splunk monitor is on Windows 7, Event logs are from Win2008 servers. when i try to import these evtx logs, it gives me the following error:

"Your entry was not saved. The following error was reported: SyntaxError: Unexpected token <"

Ashish

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...