For anyone finding this, as this came up on Slack: [default] doesn't apply to modular inputs, most notably wineventlog. You'll need to add it to the top level stanza for that input type: [WinEventLog]
_meta = hf_proxy::meta_test https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Specify_global_settings_for_Windows_Event_Log_inputs
... View more
It's necessary to declare some info into the inputs.conf file too.
Example: https://answers.splunk.com/answers/143771/whats-the-trick-to-get-unarchive-cmd-to-work-for-a-custom-archive-format.html
... View more