I know that events going to new index that not exists, but my trouble is another.

I've plain Splunk Enterprise Core, no TA, my issue is particular because before with SUF 5.0.2 to Indexer 6.4.1 Windows Event Log was Forwarded, after "clean" upgrade to SUF 6.4.3 Forwarder stop to send Event Log to Indexer 6.4.1.

Before SUF upgrade Event Logs were going to "main" index with no explicit declaration in inputs.conf, so I've tried to configure explicitly the previous used index in inputs.conf and reload serverclasses with no success, and I don't need to create new index because prior upgrade this worked.

In Preproduction Environment all works fine and SUF forward events log to Indexer.

I hope I explained myself.

With this point

$SPLUNK_HOME/etc/deployment-apps/domain_controller/default/inputs.conf

[WinEventLog://Security]
disabled = 0

(I've also tried to add "index = main"
on bottom of above stanza with no
results).

Are you overriding in the local directory? The local version will always override as per Configuration file precedence

I would recommend you run:
splunk btool inputs list --debug

To determine what index= setting is been applied to the stanza you mention on the forwarder, the above command should be run on a forwarder with the issue. Splunk btool is documented here

No override, local directory is empty.

I think there is an echo in here..... ( =

You posted 2 minutes after me 😛
Nice comment by the way 🙂

According to my screen you were two minutes after me..... And since you are not my wife....I know I am right. haha.

My bet is he has

Splunk_TA_windows from the new install of the UF, and that would over-ride the app of
domain_controller because a Capital S takes a higher priority on an app than a lowercase d.

We shall see.

Okie

Not trying to be difficult here, but I am having an issue following you.

do this command on the UF that had 5.0.4 Uninstalled and then the new 6.4.3 installed

splunk btool inputs list --debug |findstr wineventlog > support.txt

Paste me what is in that file

Okie

Ok I did the trick!
Forwarder Upgrade with no custom options create Splunk_TA_windows that override my "domain_controller" app under UF path "$SPLUNK_HOME\etc\apps", I ran btool command and output following result:

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog

so I've uninstalled UF and reinstalled with "Customize Options" and uncheck all flags under "Windows Event Logs", after installation I've checked that "Splunk_TA_windows" directory that not exists under "$SPLUNK_HOME\etc\apps" then Start SplunkUniversalForwarder Service, Deployment Server pushed configurations to Deployment Client and now I receive logs.

Thx all for support!!!

Ok I'll try to execute above command and paste output.