Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows event logs - local

Splunk allows for fast, easy collection of Windows event logs. Whether it's for alerting on security, or reporting on or searching for various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.

To get local Windows event log data, point Splunk at your Event Log service:

1. From the Home page in Splunk Web, click Add data.

2. Under the To get started... banner, click Windows event logs.

3. Click Next under Collect Windows event logs from this Splunk server.

4. In the "Available Logs" window, click on the event log channels that you want Splunk to monitor.

The log channels will appear in the "Selected Logs" window.

5. Optionally, set the destination index for this source by selecting an index from the Index drop-down box.

6. Click Save.

7. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.

For more information on getting data from files and directories, see "Monitor Windows event log data" in the Getting Data In manual.

PREVIOUS
Syslog - UDP
  NEXT
Windows event logs - remote

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters