Sorry, but this is just not true. CIM add-on does not on its own provide extractions nor contain any additional dashboards or reports apart from a few directly connected with the CIM state. It provides a common (hence the name) standard to which the data should be normalized using add-ons specific for each separate types of source data. ... View more

Thank you so much. It worked. ... View more

Assuming, these are under Event Viewer ( For example: Event Viewer > Windows Logs > Applications and Services ) you need to add monitors like below in  the local inputs.conf of the Windows host in question. Example: Below is the way we specify the path of the channel from EventViewer for sending over UAC logs.  This is to be defined under  c:\program files\splunk forwarder\apps\splunk_TA_Windows\local\inputs.conf [WinEventLog:Microsoft-Windows-UAC/Operational] disabled = 0   You will have to adjust the path of the channel ( log folder) accordingly to where those KMS logs are stored..  Check this link for getting the path correct:    https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorWindowseventlogdata#Use_the_Full_Name_log_property_in_Event_Viewer_to_specify_complex_Event_Log_channel_names_properly Note:  You can also get the path by right clicking on a sampe Event >> event properties >> Details >>  XML View >>  channel name Pls vote up or mark as Solution  if it helps ... View more

Hi @thevikramyadav, if your Splunk server continues to receive logs from other Universal Forwarders, the problem could be in the connection. Check it using telnet: telnet <ip_splunk_server> 9997 maybe something changed in the firewall rules. Ciao. Giuseppe ... View more