Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexing Log files which are in zip format

1234testtest
Path Finder
‎07-13-2012 04:59 AM

Hi,
I am looking at indexing log files( windows event log .evt files which are zipped). Is there a step by step procedure on how to index these files.

I have looked at some answers earlier but couldnt find a complete solution.
http://splunk-base.splunk.com/answers/42128/indexing-zip-files

Tags (1)
0 Karma
Reply

rturk
Builder
‎07-15-2012 08:30 AM

By default Splunk will unzip files in a directory that it is configured to monitor, however it may be complicated by the fact that it's a zipped binary (I'd test, but I'm on a Mac/Unix setup), but I can't think of any reason why it wouldn't work.

You might want to have a look at this:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Index_exported_event_log_...

Does it index an uncompressed .evt file without a problem?

0 Karma
Reply

1234testtest
Path Finder
‎07-16-2012 01:00 AM

Also I find that in the splunkd log files there is an error reported
ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2
Is this anyway related to indexing event.zip files which have a folder path specified inside the zip file?

0 Karma
Reply

1234testtest
Path Finder
‎07-15-2012 11:30 PM

  1. Event.zip files are being indexed when we choose while Adding data "Or Choose a Data Source"- "From files and directories".Doesnt work when go through the route - "Choose a Data Type" and "A file or directory of files".

  2. The challenge still remains - when I choose a single event.zip file and upload and index (taking the route mentioned in 1 above), it gets indexed.

If we choose"Continuously index data from a file or directory this Splunk instance can access" and point to the directory where there are zipped event files, they are not being indexed.
The zip file contains a path inside it - when we open the zip file- there is a folder structure - Data1\event_bkup and the .evt file resides inside the event_bkup folder.

When I use btool - I see that the directory is listed for monitoring. How do we solve this issue.

0 Karma
Reply

lguinn2
Legend
‎07-15-2012 12:04 PM

Here is a link to the docs where it discusses monitoring Windows event logs - notice that there is a paragraph about indexing exported events logs, which impies that Splunk can index .evt files.

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorwindowsdata

Reply

dangeloma
Explorer
‎12-08-2020 10:17 AM

For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files:

https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...