I'm using 4.2 on Win 2008 R2. Suplunkd is running with domain admin account.
When I add my two DCs to get security event logs, it starts indexing forever until it runs out of the license.
Each server has a total of about 15k events, but Splunk indexed over 2 millions (!) events from each machine.
Here is my conf
[WMI:Security - Domain Controllers]
disabled = 1
event_log_file = Security
index = default
interval = 5
server = xxxdc01, xxxdc02
This was generated by the UI.
Any ideas to have it work?