Hello Friends, here is my snipped of inputs.conf tog et you an idea or may be mistaked on my end ?? again thank you for your help ------------------ This is my snip of inputs.conf # cat inputs.conf [perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index=uat [perfmon://Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 mode = single object = Memory _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:Memory disabled = 0 index=uat [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:Application index=uat [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 10 renderXml=true blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist3 = EventCode="4624" Message="An account was successfully logged on" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." #whitelist = 1101, 1104, 4616, 4657, 4697 sourcetype = WinEventLog:Security index=uat [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:System index=uat [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest renderXml=true sourcetype = WinEventLog:Setup index=uat [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf dissabled = 0 index = _internal
... View more