Thanks for your reply. I have review the REST API. Unfortunately, I have missing how to define the input for win-event-log-collections from multiple remote Windows Splunk Forwarders.

The steps I perform via the user interface are:

1. Data Inputs -> Windows Events Log (Forwarded Inputs)
2. Select Forwarders:
   • Select a host from available hosts
   • Specify a new class name
3. Select Source (what kind of events to collect)
4. Select Index

I need a way to do the same with the SDK (or REST API). However, the specification of
data/inputs/win-event-log-collections POST
states only for WMI collection and not for remote Forwarders.

I see that browser uses the URL /data/inputs/remote_eventlogs, but cannot find its specification

Can you explain what you are trying to do in general? Why do you need to configure your Windows forwarders using your own custom code vs. using the Splunk-supplied configuration mechanism known as the Deployment server?

The DS allows you to group similar forwarder hosts together into what's called a server class, and ensure that all machines in a given server class get the same Splunk configuration applied to them. On the forwarder side, you define the deployment server address once (in deploymentclient.conf) and from there on, the forwarders will keep there configuration in synch with what is specified on the deployment server.

The link above documents the REST API call you can use for BOTH, local as well as WMI-based inputs, depending on the lookup_host and name attributes.

Understanding your requirements better would help in guiding you down the best path.