Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows log ingestion issue

test1022
New Member
‎07-09-2025 04:08 AM

As stated in the subject, we are currently unable to ingest Windows logs.

It appears that the installation has been completed, and that the Splunk Add-on for Windows has been installed on both the Universal Forwarder and the Splunk platform. However, no data is being ingested at all.

We would like you to check the current state to determine what is happening.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-14-2025 02:49 PM

Hi @test1022 

Are you able to see the _internal logs for your Universal Forwarder (UF) host in your Splunk deployment? This would indicate that it is succesfully connecting to your indexer(s), if this is the case then I would validate that the Windows app inputs are enabled on your UF. 

From the UF run a btool to check that disabled is not false/0 for the desired Windows inputs:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2025 05:11 AM

This forum is for questions and answers about Splunk products.  It's not a consultation service.  If you need someone to look at your system then Splunk offers On Demand Services and Professional Services for that.

Have you enabled inputs in the Splunk Add-on for Windows on the UF?  Did you restart the forwarder after enabling the inputs?  How did you determine no data is being ingested?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...