Any reason you're ingesting windows logs like this, by pointing at the evtx files? I think Splunk documentation even explicitely mentions that you shouldn't read the live evtx file that is still being written to.
To ingest windows logs from the local machine, use the
[WinEventLog://Security] input stanza. For details: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
I am receiveing below mentioned error with high frequency.
ERROR TcpInputProc - Message rejected. Received unexpected message of size=174291836 bytes from src=x.x.x.x:12345 in streaming mode. Maximum message size allowed=63412458. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
I haven't configured outputs.conf as during installation I enter the deployment server and receiver indexer details.The same purpose will be done in ouput.conf if you didn't enter during installation.Other than input.conf I didn't changed any configuration.
Am I right or missing something.