I am running Splunk for Mac (Darwin) on my laptop. I have received handful of EVTX files for analysis from a project team trying to visualize events captured in these event files. I understand that, EVTX files requires Windows APIs and DLLs to index or run Splunk on Windows to index them correctly.
However, is there a workaround to get these EVTX files indexed on Splunk instance running on Mac?
Please suggest.
I think you'll need to get them to give you the information you need.
Install an agent on the windows machine capable of producing 'correct' events. Splunk Universal Forwarder is very good, Snare might also work.
If that for some reason is not possible, they might have some luck with LogParser.
http://en.wikipedia.org/wiki/Logparser
http://technet.microsoft.com/en-us/library/ee692937.aspx
Not really familiar with that tool, though.
/K
Noted. Have asked them to setup Free lic of Splunk. Have offered them remote assistance once they are ready.
tell the project team to redo it. they can't expect you to do a proper analysis with deficient data.
Hi Kristian, Thanks for the help.
Unfortunately, I have received the EVTX files as email attachments.