Where do I get the app config from to place in etc \etc\ structure? I think that's the part that I'm stuck on. My forwarders are present in the cloud portal but I cannot see any data going to them outside of some sort of connectivity log. For background, our users are remote workers so I'm hoping to connect the endpoints directly to the cloud instance instead of having a cloud VM managing the traffic and adding an additional point of failure. All firewalling is local to the machine and the systems are using a zero-trust architecture with SSO for all operations. ... View more

The CLI method is what I've tried to use, but I cannot see an install flag for adding the Splunk Cloud .spl credential/authentication file to the installation, am I right in understanding that the .spl has to be added after the installation via a splunk.exe command? I'm now seeing that the Splunk Add-on for Microsoft Windows is not present in the Universal Forwarder configuration (missing "Splunk_TA_windows" folder in \etc\apps\) so no data is now being sent to Splunk Cloud. The add-on has otherwise been setup and added to the Cloud instance/tenant, but do I need a Deployment Server to actually rollout config to get the UF to send Windows data? I can't find any documentation or example folder configs to get the Add-on working without a DS? The switches mentioned in the CLI installation for sending certain data (WINEVENTLOG_APP_ENABLE / WINEVENTLOG_SEC_ENABLE / WINEVENTLOG_SYS_ENABLE / WINEVENTLOG_FWD_ENABLE / WINEVENTLOG_SET_ENABLE) do nothing. The Cloud instance only looks to be receiving connection information from the forwarder but nothing is hitting the indexes which were setup as part of the Add-on installation. Is it a matter of using these as a template? - https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration ... View more