Getting Data In

Indexing Log files which are in zip format

1234testtest
Path Finder

Hi,
I am looking at indexing log files( windows event log .evt files which are zipped). Is there a step by step procedure on how to index these files.

I have looked at some answers earlier but couldnt find a complete solution.
http://splunk-base.splunk.com/answers/42128/indexing-zip-files

Tags (1)
0 Karma

rturk
Builder

By default Splunk will unzip files in a directory that it is configured to monitor, however it may be complicated by the fact that it's a zipped binary (I'd test, but I'm on a Mac/Unix setup), but I can't think of any reason why it wouldn't work.

You might want to have a look at this:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Index_exported_event_log_...

Does it index an uncompressed .evt file without a problem?

0 Karma

1234testtest
Path Finder

Also I find that in the splunkd log files there is an error reported
ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2
Is this anyway related to indexing event.zip files which have a folder path specified inside the zip file?

0 Karma

1234testtest
Path Finder
  1. Event.zip files are being indexed when we choose while Adding data "Or Choose a Data Source"- "From files and directories".Doesnt work when go through the route - "Choose a Data Type" and "A file or directory of files".

  2. The challenge still remains - when I choose a single event.zip file and upload and index (taking the route mentioned in 1 above), it gets indexed.

If we choose"Continuously index data from a file or directory this Splunk instance can access" and point to the directory where there are zipped event files, they are not being indexed.
The zip file contains a path inside it - when we open the zip file- there is a folder structure - Data1\event_bkup and the .evt file resides inside the event_bkup folder.

When I use btool - I see that the directory is listed for monitoring. How do we solve this issue.

0 Karma

lguinn2
Legend

Here is a link to the docs where it discusses monitoring Windows event logs - notice that there is a paragraph about indexing exported events logs, which impies that Splunk can index .evt files.

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorwindowsdata

dangeloma
Explorer

For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files:

https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...