Hi, you should not edit files in system/default as they belong to splunk and will be overwritten when you upgrade So either edit in system/local context or in a application. You just have to place you in the context with a stanza [xxxx] and then add the line you want to change ... View more

Hi @Alepy, to take logs from windows the best approach is using a Universal Forwarder and the Splunk_TA_Windows, so you have to: on Splunk Enterprise enable receiving [Settings -- Forwarding and receiving -- Receive Data], install the Splunk UF on the target server, configure UF to send logs to the Splunk Enterprise: splunk add forward-server <host>:<port> -auth <username>:<password> (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Deployaforwarder ), copy and untar the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742/ ) in $SPLUNK_HOME\etc\apps of the target server, make a copy of inputs.conf in Splunk_TA_Windows (copy from default folder in local folder), modify the local version changing disabled=0 in the stanzas you need, restart Splunk on the target server. this Technical Add-On (TA) already contains all the inputs for you, but by default are disable, so you have to enable the ones you need. Ciao. Giuseppe ... View more