Hi,  We currently have a centralized WEF collection server that collects all windows logs across the environment. This includes forwarding sysmon,application,system channels etc... to the collector. Everything ends up in ForwardedEvents on the WEF collection server. I've installed a UF on this host.  I have the windows TA deployed with the following input stanza       #[WinEventLog://ForwardedEvents] #disabled = 0 #index = wef #start_from = oldest #current_only = 0 #batch_size = 50 #checkpointInterval = 15 #renderXml=true #host=WinEventLogForwardHost       I have 2 problems currently.  The splunk universal forwarder doesn't appear to be keeping up with the number of windows event logs coming to the WEF collector. ~1000 hosts. Another (different) SIEM collector for WEF keeps up fine on the same host and collects all logs. i'm able to compare what one collector is collecting vs the Splunk UF. I've tried adjusting the batch_size and checkpoint interval as above.   I want to split certain windows channels in the ForwardedEvents channel to different indexes. I have tried deploying the microsoft sysmon TA and adding a new input with the following configuration.       #[WinEventLog://ForwardedEvents] #disabled = true #index = wef-sysmon #start_from = oldest #current_only = 0 #batch_size = 50 #checkpointInterval = 15 #renderXml=true #host=WinEventLogForwardHost #whitelist = $XmlRegex='Microsoft-Windows-Sysmon'​       i then add  blacklist = $XmlRegex='Microsoft-Windows-Sysmon' to the windows TA. Then everything seems to stop. I stop receiving all events on my indexer. I've also tried adding multiple inputs with differing indexes and whitelist/blacklists in the windows TA to no avail. Would someone be able to point me in the right direction?       ... View more