Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to index .evtx files and put them in their own index

nls7010
Path Finder
‎06-25-2019 12:10 PM

I have read all of the above, but I think I'm confused on just what to do to get the indexing going.

We are wanting to pick up the following path on some of our windows servers: %SystemRoot%\System32\Winevt\Logs\Application.evtx , but I'm not certain what to put in the sourcetype for those files.
Can I select an index rather than the main (which we don't want to use)?

Any assistance would be helpful, thank you!

0 Karma
Reply

jnudell_2
Builder
‎06-25-2019 12:33 PM

Hi @nls7010 ,
Don't try to ingest the Windows event logs directly. You'll want to use the Windows TA for Splunk (https://splunkbase.splunk.com/app/742/#/overview) and then refer to the documentation for indexing Windows Events from the event log (https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration).

Specifically you'll want to enable collection for the Application log in inputs.conf on your Windows Universal Forwarder:
inputs.conf

[WinEventLog://Application]

disabled = 0

By default, this input is disabled and will need to be enabled in the local folder of the application (if there is no local folder, you would create one and create an inputs.conf with the lines above)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...