Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows event logs - remote

Splunk can monitor Windows event logs, both locally and remotely over WMI. Whether it's for alerting on security or reporting on or searching of various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.

Important: To collect Windows event logs remotely, your Splunk instance must be installed as a user with privileges to the machines that you want to collect the logs. Review "Considerations for deciding how to monitor remote Windows data" in this manual for additional information.

To get remote Windows event log data, point Splunk at a remote machine's Event Log service:

1. From the Home page in Splunk Web, click Add data.

2. Under the To get started... banner, click Windows event logs.

3. Click Next under Collect Windows event logs from another machine.

4. In the Event Log collection name field, type in a unique name for the event logs you will be collecting.

5. In the Choose logs from this host field, enter the hostname for a machine on your Windows network. You can specify a short hostname, the server's fully qualified domain name, or its IP address.

6. Click Find logs… to get a list of the available event log channels on the remote machine.

7. In the Available log(s) window that appears, click once on the event log channels you want Splunk to monitor.

The log channels will appear in the Selected Logs window.

8. Optionally, you can specify additional servers to collect the same set of event logs from. Type in each of the hostnames, separating them with commas.

9. Another option is to set the destination index for this source. You can do so by selecting an index from the Index drop-down box.

10. Click Save.

11. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.

For more information on getting data from Windows event logs, see "Monitor Windows event log data" in this manual.

Last modified on 23 October, 2014
Windows event logs - local
Windows event logs - many remote

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters