I am trying to bring in windows logs from a client...

Getting Data In

This is the inputs from the app I created for the windows logs:

[WinEventLog://Application]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=0

[WinEventLog://Security]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=0

[WinEventLog://System]
index = replicate3
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=0

I created a special index for it, but it is not getting any results. I also have sent over the splunk TA for windows logs, but still nothing is coming in. The index was created successfully and the apps show on the client. What else am I missing.

Get Updates on the Splunk Community!

I am trying to bring in windows logs from a clients server, but nothing is showing. I created a new application.

index

inputs.conf

universal forwarder

Windows

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?