Getting Data In

How to limit Windows Security logs with inputs.conf?


I was pretty sure back when we installed the system we limited a bunch of things, but now I cannot find the configuration anywhere.  In the typical /opt/splunk/etc/system/local on my Splunk Server I do not seem to have the inputs.conf file anymore?  Is there where I would limit my ingesting or do I do it on the Splunk Forwarder level?

I am getting a lot of 4634 which is filling up my license quota.  I want to not log the Logon Type 3's.  Can I just create the file where it should be and start adding things there or how should I go about it?

Labels (2)
0 Karma


I have that app already but that folder doesn't appear to have an inputs.conf folder in it.

0 Karma


Hi @rpearson,

at first $SPLUNK_HOME/etc/system/local isn't the typical location of inputs.conf, there's an inputs.conf but it's usual only for TCP:9997 data from other forwarders, don't use it for your inputs.

The best approach is to have inputs in dedicated App (not the ones already present in $SPLUNK_HOME/etc/apps).

In your case, you should explore the Splunk_TA_Windows App ( that already gives you all the inputs to use.

In this case you have to install it and enable the inputs you need by GUi if you're in a Splunk instance or via conf file if you're in  a Universal Forwarder, following the instructions at

To reduce the License consuption, you can Whitelist the EventCodes you want or Blacklist the ones you want discard (, obviously in this case you limit your monitorig opportunities.



0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...