you would need to convert evtx file in a Splunk friendly format such as xml using wevtutil
For example: wevtutil qe /lf yourlog.evtx > yourlog.xml
You can import xml file by using Splunk input manager and defining you own sourcetype:
Manader->Data Inputs->Files and Directories -> Start a new source type
Select .xml and then adjust parsing setting until you get individual events. I ended up with props.conf like following:
BREAK_ONLY_BEFORE=<Event
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_PREFIX=SystemTime=
From that point on Splunk should be able to parse xml event natively
Note that xml event contains only bare xml data, while Windows event viewer also adds metadata to it, such as error message text. It might be possible to add this information while exporting logs (it offers saving language specific information during export), but I didn't try that.
... View more