I've installed Splunk Security Essentials App and Splunk TA for Windows. However, when I run the Data Source Check I get a notice that the src field must be defined in the Security logs. It says the TA for Windows should provide the field definition. I think this needs to be included in the inputs.conf file for the TA for Windows app. Any ideas how to resolve the message and/or what to add to the inputs.conf file?
I had CIM add on installed last night and I still receive the error on data source check.
You should have a field called "src" defined in your Windows Security logs. This is provided by the Splunk TA for Windows, and any other common information compliant data. Consider adding that TA to make for a better experience!