Greetings all! I haven't worked with Splunk in about a year so I'm a little rusty.
Anyhow, I have Linux systems logging to Splunk no issue. However, I seem to be running into problem with Windows logs.
I installed a Universal Forwarder on a few systems. I adjusted the inputs.conf under the system/local folder with the below stanza. When I went into search and reporting > data summary, I was not seeing entries there for logs coming from these systems. However, I checked the wineventlog index and it was rapidly growing. Then, I thought maybe it was an index issue, so I created a new index and updated the stanza to point to that instead. Same issue - didn't see timestamp updates under Data Summary but the index was growing. Verified I couldn't search for the logs either.
From what you are saying above, searches work fine against default indexes but not against others, so have you tried specifying the index name you are searching against as part of your query?
index=wineventlog sourcetype=WinEventLog:* ...
By default Splunk will only search against your default indexes if you don't specify "index=". You can change this in your user profile by the way.
The events for the affected hosts only populate/rise if I send the logs to the Default index. If I send them to wineventlogs or a custom one, they do not rise and are not searchable despite the Indexes themselves showing increasing events.