I have a Splunk Forwarder running on Windows 2012 and I'm monitoring a share with archived .evtx files from other Windows servers. I discovered that Splunk was ingesting most small event logs (less than 1092 KB) but skipped larger files with events numbering in the thousands. While examining the _internal index within Splunk Enterprise, it was seeing and processing the large files, however, the total events always equaled zero. If I opened the .evtx file on a Windows computer and exported 256 events, the max it allowed me to export at a time, to a new .evtx file, Splunk would see, process the right number of events and ingest the file without any issue.
Has anyone seen this before?
↧