Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexing Log files which are in zip format

1234testtest
Path Finder
‎07-13-2012 04:59 AM

Hi,
I am looking at indexing log files( windows event log .evt files which are zipped). Is there a step by step procedure on how to index these files.

I have looked at some answers earlier but couldnt find a complete solution.
http://splunk-base.splunk.com/answers/42128/indexing-zip-files

Tags (1)
0 Karma
Reply

rturk
Builder
‎07-15-2012 08:30 AM

By default Splunk will unzip files in a directory that it is configured to monitor, however it may be complicated by the fact that it's a zipped binary (I'd test, but I'm on a Mac/Unix setup), but I can't think of any reason why it wouldn't work.

You might want to have a look at this:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Index_exported_event_log_...

Does it index an uncompressed .evt file without a problem?

0 Karma
Reply

1234testtest
Path Finder
‎07-16-2012 01:00 AM

Also I find that in the splunkd log files there is an error reported
ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2
Is this anyway related to indexing event.zip files which have a folder path specified inside the zip file?

0 Karma
Reply

1234testtest
Path Finder
‎07-15-2012 11:30 PM

  1. Event.zip files are being indexed when we choose while Adding data "Or Choose a Data Source"- "From files and directories".Doesnt work when go through the route - "Choose a Data Type" and "A file or directory of files".

  2. The challenge still remains - when I choose a single event.zip file and upload and index (taking the route mentioned in 1 above), it gets indexed.

If we choose"Continuously index data from a file or directory this Splunk instance can access" and point to the directory where there are zipped event files, they are not being indexed.
The zip file contains a path inside it - when we open the zip file- there is a folder structure - Data1\event_bkup and the .evt file resides inside the event_bkup folder.

When I use btool - I see that the directory is listed for monitoring. How do we solve this issue.

0 Karma
Reply

lguinn2
Legend
‎07-15-2012 12:04 PM

Here is a link to the docs where it discusses monitoring Windows event logs - notice that there is a paragraph about indexing exported events logs, which impies that Splunk can index .evt files.

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorwindowsdata

Reply

dangeloma
Explorer
‎12-08-2020 10:17 AM

For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files:

https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...