- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Indexing Log files which are in zip format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexing Log files which are in zip format
Hi,
I am looking at indexing log files( windows event log .evt files which are zipped). Is there a step by step procedure on how to index these files.
I have looked at some answers earlier but couldnt find a complete solution.
http://splunk-base.splunk.com/answers/42128/indexing-zip-files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default Splunk will unzip files in a directory that it is configured to monitor, however it may be complicated by the fact that it's a zipped binary (I'd test, but I'm on a Mac/Unix setup), but I can't think of any reason why it wouldn't work.
You might want to have a look at this:
Does it index an uncompressed .evt file without a problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I find that in the splunkd log files there is an error reported
ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2
Is this anyway related to indexing event.zip files which have a folder path specified inside the zip file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event.zip files are being indexed when we choose while Adding data "Or Choose a Data Source"- "From files and directories".Doesnt work when go through the route - "Choose a Data Type" and "A file or directory of files".
The challenge still remains - when I choose a single event.zip file and upload and index (taking the route mentioned in 1 above), it gets indexed.
If we choose"Continuously index data from a file or directory this Splunk instance can access" and point to the directory where there are zipped event files, they are not being indexed.
The zip file contains a path inside it - when we open the zip file- there is a folder structure - Data1\event_bkup and the .evt file resides inside the event_bkup folder.
When I use btool - I see that the directory is listed for monitoring. How do we solve this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a link to the docs where it discusses monitoring Windows event logs - notice that there is a paragraph about indexing exported events logs, which impies that Splunk can index .evt files.
http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorwindowsdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files:
https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
