topic Splunk WEF proper inputs conf in Splunk Enterprise

Splunk WEF proper inputs conf

elend — Thu, 30 Oct 2025 10:43:37 GMT

Hi everyone
Im on process ingesting WEF event that collected on a server folder, let said D:\WEF\ForwardedEvents.evtx. Which one is the proper inputs?
1. Follow the TA-windows default

[WinEventLog://ForwardedEvents] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true host=WinEventLogForwardHost index=win_wef

Or using monitor stanza like

[monitor://D:\WEF\ForwardedEvents.evtx] disabled = 0 index = win_wef sourcetype = XmlWinEventLog:ForwardedEvents host = WinEventLogForwardHost

it consumed on clustered indexer and I already make sure the index exist and distributed properly, but still no data ingested to the indexer. Anny suggestions?

Thank you.

Re: Splunk WEF proper inputs conf

PickleRick — Thu, 30 Oct 2025 13:16:21 GMT

You don't monitor the evtx files correctly.

Use the WInEventLog://ForwardeEvents input.

Just be aware that your example contains a disabled input. So if you configured your environment this way this input will not pull data from the Event Log.

Re: Splunk WEF proper inputs conf

elend — Thu, 30 Oct 2025 18:26:29 GMT

oh yeah, that disabled set true because i try the monitor options. So there's no need to update from the props.conf too or other config except enabling the inputs?

Re: Splunk WEF proper inputs conf

PickleRick — Fri, 31 Oct 2025 11:30:53 GMT

It's... relatively easy but can be a bit complicated 😉

Generally, an input and output are the only two things that are needed for your UF to get data and send them to an indexer.

In some specific use cases/configurations (like differentiating sourcetypes within files read by a single monitor input, assigning a timezone to data read from a particular forwarder or using indexed extractions; your case is neither of those) you need settings in props.conf on the UF as well. But in general, the settings from props.conf which are used on the UF are not mandatory.

Setings from props and transforms are applied (again - with some exceptions) on the indexers or a HF if you have one before your indexers. Normally those settings are critical for proper breaking of data stream into single events or timestamp recognition. In case of Windows Eventlogs the props/transforms which come with TA_windows also rewrite the source of the events and their host in case of WEF-forwarded events to the originating host and the original Event Log. So the events are properly seen as coming from System/Application/Security log and so on instead of just Forwarded Events.

But if you didn't have this addon installed you still should be getting those events (unless they have been filtered out somewhere in the middle). They would just be "malformed", but they'd be there.

To be continued...

EDIT: Continuing...

So there are several possibilities here why you're not getting your data. And there are several troubleshooting steps which you can take to narrow down the source of your problem.

1. Are you getting _any_ data from the forwarder? You can check the _internal index for forwarder's internal logs. If you're not getting them either there is a more general problem with your data ingestion from that forwarder than just this particular input.

2. Is this input able to read the data? Check the output of

splunk list inputstatus

on the forwarder. Check the forwarder's logs for problems subscribing to the event log (typically when the eventlog data is not ingested, there are problems with permissions for the user the forwarder service is running as).

3. If the forwarder is subscribing properly to the Forwarded Events log, check the forwarder metrics (thruput by source will be the best one here I think) to see if the events are getting sent out from the forwarder.

Re: Splunk WEF proper inputs conf

elend — Wed, 05 Nov 2025 08:43:46 GMT

Listing the inputs status give no eventlog listed. After some exploration, the forwarded eventlog is different with windows common eventlog (security, system) that can automated sent to the splunk.

I also try to match the user service that run splunkforwarder with the Event Log Readers permission. And there is no user has the permission. Maybe this one is the reason.

Re: Splunk WEF proper inputs conf

PickleRick — Wed, 05 Nov 2025 12:08:17 GMT

OK. If list inputstatus shows no wineventlog inputs at all that means that you didn't enable the input correctly.

Check

splunk btool inputs list --debug

on the forwarder

Re: Splunk WEF proper inputs conf

elend — Fri, 14 Nov 2025 07:28:33 GMT

Sorry for late update. Listing the inputs with btool show all the config and it also include the forwarded event stanza. Also when search for Event Log Reader permission i check this one. Am i need to add the user to the Event Log Reader group?

Re: Splunk WEF proper inputs conf

PickleRick — Sat, 15 Nov 2025 08:35:21 GMT

OK but does the output from the btool for the wineventlog://ForwardedEvents stanza contains disabled=1 or 0? If the input _is_ disabled it obviously won't work.

Re: Splunk WEF proper inputs conf

elend — Mon, 17 Nov 2025 02:22:59 GMT

Sorry, its my fault not paste the latest config from inputs. Clearly i already enable it but it still not come.

Re: Splunk WEF proper inputs conf

PickleRick — Mon, 17 Nov 2025 17:45:51 GMT

OK. If the input is indeed enabled and splunkd.exe still cannot read from it, check splunkd.log for issues. If there are permission problems you should get an information in the log about the forwarder not being able to subscribe to the event log channel.