It could be many things including: It is "inputs.conf", not "input.conf" and this file needs to be sent to the UF itself which will NOT have a "/opt/splunk/etc/system/local/" directory (it would be "/opt/splunkforwarder/etc/system/local/", but that is not really the right place for it in any case). If you are using transforms like this, the pros.conf/transforms.conf files must be deployed to the first full instance of Splunk that handles those events.  Assuming that you are using Windows UF (there are MANY other options for getting Windows Events), this means EITHER your indexers (every one of them) OR your HF tier (best to be safe and send it everywhere). ... View more