Good morning,
I have experience with Sysmon as well as a little experience with Splunk and I have configured it multiple ways.
1) I had a x1 computer that I installed Sysmon and Splunk on for initial testing and due to lack of hardware. Once I installed Sysmon, I followed this path: Windows Logs -> Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational. I highlighted Operational and right-clicked then selected the properties option. At that point you can view the Full Name fields and the Log Path field. I found the best way to ingest logs at this point with my setup was to change Sysmon's Log Path to %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx, which enabled Sysmon logs to be stored in the Forwarded Events. In Splunk I then configured a local windows connector to begin ingesting the logs.
2) I had x1 Windows workstation and x1 Windows Server that also had splunk on it. I configured it this way once I gained more hardware and for content development. I never had the goal of enterprise log ingestion, but this solution could still work: I followed these instructions to install Sysmon, enable Windows Event Collection, and Windows Event Forwarding.
https://natesec.com/configuring-windows-event-forwarding-with-sysmon/
Once the subscription was set up and I had logs moving from my workstation to the server, I once again used the local Splunk connector to ingest logs into Splunk from my server. Once again the local Splunk connector would ingest forwardedEvent logs without having to use other types of forwarders or downloading extra apps.
I hope this helps!
Resources:
https://natesec.com/sysmon-to-splunk/
https://natesec.com/configuring-windows-event-forwarding-with-sysmon/
... View more