The CLI method is what I've tried to use, but I cannot see an install flag for adding the Splunk Cloud .spl credential/authentication file to the installation, am I right in understanding that the .spl has to be added after the installation via a splunk.exe command? I'm now seeing that the Splunk Add-on for Microsoft Windows is not present in the Universal Forwarder configuration (missing "Splunk_TA_windows" folder in \etc\apps\) so no data is now being sent to Splunk Cloud. The add-on has otherwise been setup and added to the Cloud instance/tenant, but do I need a Deployment Server to actually rollout config to get the UF to send Windows data? I can't find any documentation or example folder configs to get the Add-on working without a DS? The switches mentioned in the CLI installation for sending certain data (WINEVENTLOG_APP_ENABLE / WINEVENTLOG_SEC_ENABLE / WINEVENTLOG_SYS_ENABLE / WINEVENTLOG_FWD_ENABLE / WINEVENTLOG_SET_ENABLE) do nothing. The Cloud instance only looks to be receiving connection information from the forwarder but nothing is hitting the indexes which were setup as part of the Add-on installation. Is it a matter of using these as a template? - https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration
... View more