I Use the EXACT SAME input.conf and SPLUNK_TA_WINDOWS app on the enterprise servers and forwarders (Splunk is installed on 2012R2 servers). My search head gets the same app from deployment server that all other UFs for windows are receiving (and search head is working), indexers get it from Index Master in his Master-Apps directory pushed as a configuration bundle. Again, all 6 splunk enterprise servers DO create date_* fields and I can query them. but my other machines using universal forwarders DO NOT. (Inputs.conf is in the local directory of SPLUNK_TA_Windows, (I do not edit ANY files in default, and Props is only in Default I did not copy it to local on any servers or clients)
Input is straight from the SPLUNK_TA_WINDOWS/default/inputs.conf except I set disabled to false and created a couple whitelist and blacklists to parse out extraneous log data. basically I am pulling the following wineventlogs (I am not pulling any monitors or performance data, only windows EVT/EVTX files)
[default]
evt_resolve_ad_obj = 1
evt_dc_name=asep.tsmil.mil
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
Whitelist = 16, 11707, 11724, 50, 51, 900, 901, 902, 903
Checkpointinterval = 5
index=wineventlog
renderxml=false
[WinEventLog://Windows Powershell]
disabled = 0
start_from = oldest
current_only = 0
Checkpointinterval = 5
index=wineventlog
renderxml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
Whitelist = (A lot of specified event IDs (I am getting the evnt IDs and the events)
blacklist = (specific event IDs with messages = a regex expression where the data is too chatty and irrelevant.)
Checkpointinterval = 5
index=wineventlog
renderxml=false
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
Whitelist = 16, 11707, 11724, 50, 51, 900, 901, 902, 903
Checkpointinterval = 5
index=wineventlog
renderxml=false
The rest of the default in input.con for SPLUNK_TA_Windows are disabled.
... View more