can you check that splunk was not installed previously on the machine by doing sc query splunkd sc query splunkweb? if they exist you need to delete them first using "sc delete service_name" if you are installing Splunk to run as a user make sure that it has Permission to log on as a service Permission to log on as a batch job you can also temporary make your user a member of buitdin administrator group to make sure that this is not permission problem. ... View more

can you please clarify your scenario? Are you indexing evtx logs by pointing Splunk to the directory? ... View more

what was the issue then? ... View more

Is your user has admin privileges on the box where UF is installed? here is the link with required privileges: http://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonWindows ... View more

you can use Splunk REST API to modify configuraiton: // to create a stanza curl -k -u admin:pwd https://localhost:8089/services/properties/inputs -d __stanza=monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32 // to set crcSalt curl -k -u admin:pwd https://localhost:8089/services/properties/inputs/monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32 -d crcSalt=%3CSOURCE%3E or maybe just append new stanza with crcSalt into the end of inputs.conf (e.g. type stanza.file >> inputs.conf) if you can execute elevated scripts? You need to reboot Splunk after that. ... View more

try to set crcSalt in inputs.conf. Note that <SOURCE> must be in caps. see also full spec for inputs.conf http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputs.conf [monitor://path-to-dir] disabled = false crcSalt = <SOURCE> ... View more

Can you enable splunk logging? In etc\log.cfg set the following flags to DEBUG category.WinEventLogAgent=DEBUG category.WinEventLogInputProcessor=DEBUG category.WinEventLogChannel=DEBUG category.WinEventLog=DEBUG restart splunk and look into var\splunkd.log for possible errors ... View more

Actually Splunk supports monitoring evtx files as described here: http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/MonitorWindowsdata#Index_exported_event_log_.28.evt_or_.evtx.29_files ... View more

you would need to convert evtx file in a Splunk friendly format such as xml using wevtutil For example: wevtutil qe /lf yourlog.evtx > yourlog.xml You can import xml file by using Splunk input manager and defining you own sourcetype: Manader->Data Inputs->Files and Directories -> Start a new source type Select .xml and then adjust parsing setting until you get individual events. I ended up with props.conf like following: BREAK_ONLY_BEFORE=<Event NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_PREFIX=SystemTime= From that point on Splunk should be able to parse xml event natively Note that xml event contains only bare xml data, while Windows event viewer also adds metadata to it, such as error message text. It might be possible to add this information while exporting logs (it offers saving language specific information during export), but I didn't try that. ... View more

if you plan to produce daily logs every day then you end up indexing the whole event history. Then there is no need to do "day filtering", but instead you can build views which show only today's events. ... View more

I am afraid at this time the application doesn't support CPU statistics from remote hosts. The issue is that it expects the statistics to come from WMI:CPU sourcetype (if you click on a link along "No results found" message you will see a search string like "search source=WMI:CPUTime host= | eval CPULoad = PercentProcessorTime"). The search doesn't include events forwarder from remote hosts. ... View more

Are you using windows explorer to do the test? The explorer does multiple calls into directory and file itself, first to show it to you and then open it (e.g. using notepad). Since audit check is done at Win32 API level it will generate multiple events. Explorer may also do periodic refresh of the directory, which also causes audit events to be logged. You can use ProcessMonitor from sysinternals to see details of file access. ... View more