Where you following the documentation for "Splunk App for Windows Infrastructure" v1.1.3? In the documentation it states to
Copy the indexes.conf file from the installation package to the configuration directory on the indexer
But the section in the indexes.conf doesn't match the output.conf later in the documentation which relates to the Windows Add-On
Indexes.conf:
[**winevents**]
homePath = $SPLUNK_DB/winevents/db
coldPath = $SPLUNK_DB/winevents/colddb
thawedPath = $SPLUNK_DB/winevents/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
inputs.conf - from Splunk Add-On for Windows (v4.7.5)
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = **wineventlog**
renderXml=false
I changed the indexes.conf file so that all reference to winevents was wineventlog, copied the update file to .\Splunk\etc\system\local
Paul
... View more