Dear all,

Could you help me in resolving my issue I cannot address?
I installed Add-on for Microsoft Windows and did everything according to instruction. Now, Splunk is receiving logs from 1 windows computer. I can see them in the data summary. The next step was the installation eventid.net app to consolidate and visualize received logs. However, when I installed and configure it according to the instruction, eventid.net does not show any logs on its dashboards.
I have no idea where should I look into to find out why eventid does not work. Please, could you help me in troubleshooting this problem? I am ready to provide any screenshots of my configuration.

These are some details of my configuration.
I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

I also copied this configuration to the deployment server (/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local). The configuration is successfully transmitted to the computer with Universal Forwarder. (I checked the configuration of the UF)

However, when I look at event logs in the "Search and Report", I see that logs are coming with the index = "main" instead of "wineventlog" as I pointed in the inputs.conf
selected fields:
host = ComputerNAME
index = main
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog

I do not understand why event logs are coming with the index = main.
I configured eventid.net in the following way:
"The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)"
Thank you.