I would like to index .evtx file stored in a different location in my universal forwarder.
What are the approaches we have, to index these files?
I read some documentation but with few concerns, like it should not be written while read by splunk? if so, how can we achieve this?
Splunk doesn't constantly lock a file so you don't have to worry about that.
Just put a monitor stanza over the file. (Imagine how splunk would be useless monitoring log files if it blocked it from being written at all times)
Yes I dos monitor stanzas to files that are continuously being written and without a problem.
The props and transforms you may need or not will depend on what your file contains, which I am not aware of course.
Take a look at this doc for starters and explore from there if a simple monitor doesn't solve it