How to Send Windows Logs to Splunk Cloud — Complete Step-by-Step Guide

Windows Logs flowing in Splunk Cloud
// Table of Contents
  1. Introduction
  2. Prerequisites
  3. Step 1 — Log in to Splunk Cloud Trial
  4. Step 2 — Create Index in Splunk Cloud
  5. Step 3 — Download Universal Forwarder Credentials
  6. Step 4 — Download & Install Universal Forwarder
  7. Step 5 — Extract & Install Forwarder Credentials
  8. Step 6 — Create inputs.conf
  9. Step 7 — Restart & Verify Logs
  10. Troubleshooting
  11. Conclusion

Introduction

As a Cyber Security student learning SOC operations, one of the first hands-on skills you need is getting data into a SIEM. Splunk Cloud is one of the most widely used SIEM platforms in the industry, and Windows Event Logs are the most common data source in enterprise environments.

In this guide, I walk you through the complete process of sending Windows Event Logs — Application, Security, and System — to your Splunk Cloud Trial account. I documented every step while doing this myself on my own Windows laptop, including the real errors I hit and how I fixed them.

// What you will achieve
Your Windows laptop will send live Event Logs to Splunk Cloud in real time. You will be able to search and analyze them using SPL (Splunk Processing Language).

Prerequisites

⚠ Important
Always run PowerShell as Administrator throughout this guide. Right-click PowerShell → "Run as administrator".

STEP 01 Log in to Splunk Cloud Trial

Open your browser and go to your Splunk Cloud trial URL:

https://prd-p-XXXXXX.splunkcloud.com

Log in with your admin credentials. You land on the Splunk Cloud home dashboard.

Splunk Cloud Dashboard after login
STEP 02 Create Index in Splunk Cloud

Splunk stores data in indexes. You need to create one before data can flow into it. Think of an index as a dedicated folder for a specific type of log.

  1. Click Settings in the top navigation
  2. Click Indexes
  3. Click New Index
Splunk Cloud Indexes page

Fill in the following fields:

FieldValue
Index Namewineventlog
Index Data TypeEvents
Searchable Time (days)30

Click Save.

New Index form filled with wineventlog
// Important
The index name wineventlog must match exactly what you put in inputs.conf later — same spelling, all lowercase. If they don't match, your data gets dropped or lands in the wrong index.
STEP 03 Download Universal Forwarder Credentials

The Universal Forwarder Credentials file (splunkclouduf.spl) contains your Splunk Cloud instance address, port 9997 endpoint, and SSL certificates — all pre-configured. This is what tells your forwarder where to send data.

  1. Click Apps in the top navigation
  2. Click Universal Forwarder
  3. Click "Download Universal Forwarder Credentials"
Download Universal Forwarder Credentials button

The file downloads as:

splunkclouduf.spl
// What is this file?
The .spl file is a .tar.gz archive containing a pre-configured outputs.conf. When installed on your forwarder, it automatically points to your Splunk Cloud instance — no manual address entry needed.
STEP 04 Download & Install Universal Forwarder

Download

Go to the Splunk Universal Forwarder download page and select Windows 64-bit .msi:

https://www.splunk.com/en_us/download/universal-forwarder.html

Install

  1. Double-click the downloaded .msi file
  2. Accept the License Agreement
  3. Select the Splunk Cloud option
  4. Set your credentials (username: admin, choose a password you will remember)
  5. Leave Deployment Server blank
  6. Click Next → Install
Universal Forwarder installer with Splunk Cloud option selected
⚠ Remember This Password
You will need this password when running CLI commands. If your password contains special characters like @ or #, wrap it in single quotes in PowerShell — e.g. 'MyPass@123'.
Universal Forwarder installation complete
STEP 05 Extract & Install Forwarder Credentials

The splunkclouduf.spl file is a .tar.gz archive. We extract it and copy the contents into the forwarder's apps folder. Open PowerShell as Administrator and run each command one at a time:

1. Extract the credentials file

// PowerShell
tar -xzf "C:\Users\Dell\Downloads\splunkclouduf.spl" -C "C:\Users\Dell\Downloads\splunkclouduf_extracted"

2. Verify what was extracted

// PowerShell
ls "C:\Users\Dell\Downloads\splunkclouduf_extracted"

You should see:

100_prd-p-kpfrw_splunkcloud

3. Copy credentials to forwarder apps folder

// PowerShell
Copy-Item "C:\Users\Dell\Downloads\splunkclouduf_extracted\*" "C:\Program Files\SplunkUniversalForwarder\etc\apps\" -Recurse -Force

4. Verify the copy

// PowerShell
ls "C:\Program Files\SplunkUniversalForwarder\etc\apps\"

5. Restart the forwarder

// PowerShell
Restart-Service SplunkForwarder

6. Verify connection to Splunk Cloud

// PowerShell
cd "C:\Program Files\SplunkUniversalForwarder\bin"
.\splunk.exe list forward-server

Expected output:

Active forwards:
        inputs.prd-p-kpfrw.splunkcloud.com:9997 (ssl)
Configured but inactive forwards:
        None
PowerShell showing Active forwards connected to Splunk Cloud
// Success Signal
Seeing inputs.prd-p-kpfrw.splunkcloud.com:9997 (ssl) under Active forwards confirms your forwarder is connected to Splunk Cloud. This is a key milestone!
⚠ Login Failing at CLI Prompt?
If login fails due to special characters in your password, just keep trying — it usually works after 1–2 attempts. You can also wrap the password in single quotes when using the -auth flag.
STEP 06 Install Splunk Add-on for Windows & Create inputs.conf

The Splunk Add-on for Windows provides the source types and field extractions needed to correctly parse Windows Event Logs. In our case it was already available in the Splunk Cloud app inventory.

Splunk Add-on for Windows installed

Now create the inputs.conf file which tells the Universal Forwarder what data to collect.

1. Create the app folder structure

// PowerShell
mkdir "C:\Program Files\SplunkUniversalForwarder\etc\apps\my_windows_inputs\local"

2. Create inputs.conf in Notepad++

Open Notepad++File → New → paste this content exactly:

// inputs.conf
[WinEventLog://Application]
disabled = 0
start_from = oldest
index = wineventlog
renderXml = true

[WinEventLog://Security]
disabled = 0
start_from = oldest
index = wineventlog
renderXml = true

[WinEventLog://System]
disabled = 0
start_from = oldest
index = wineventlog
renderXml = true

3. Save the file correctly

  1. Click File → Save As
  2. Navigate to: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_windows_inputs\local\
  3. Set filename: inputs.conf
  4. Set Save as type to: All Files (*.*)
  5. Click Save
⚠ Critical — File Extension
If you use regular Windows Notepad or select "Text Documents" in Save As, the file saves as inputs.conf.txt which Splunk cannot read. Always use Notepad++ and select All Files (*.*).

4. Verify the file

// PowerShell — check filename
ls "C:\Program Files\SplunkUniversalForwarder\etc\apps\my_windows_inputs\local\"

Should show inputs.conf — NOT inputs.conf.txt.

// PowerShell — check content
type "C:\Program Files\SplunkUniversalForwarder\etc\apps\my_windows_inputs\local\inputs.conf"
STEP 07 Restart Forwarder & Verify Logs in Splunk Cloud

1. Restart the forwarder

// PowerShell
Restart-Service SplunkForwarder

2. Wait 2–3 minutes

Give the forwarder time to start up, read the new inputs.conf, and begin shipping events to Splunk Cloud.

3. Search in Splunk Cloud

  1. Log in to your Splunk Cloud trial
  2. Go to Apps → Search & Reporting
  3. Enter this search:
// SPL Search
index=wineventlog earliest=-15m
  1. Set time to Last 15 minutes → click Search
Windows Event Logs appearing in Splunk Cloud search results
// 🎉 Success
If you see events like the screenshot above — Windows logs are flowing to Splunk Cloud in real time. You have successfully set up your first SIEM data source!

Troubleshooting

Here are the real issues I ran into during this setup and exactly how I fixed them:

ProblemCauseFix
Login failed in PowerShell CLISpecial characters (@, #) in passwordWrap in single quotes: 'MyPass@123' — or keep retrying, works after 1–2 attempts
inputs.conf not foundSaved as inputs.conf.txtRename: Rename-Item inputs.conf.txt inputs.conf
No logs in Splunk CloudIndex name mismatchVerify index name is exactly wineventlog in both Splunk Cloud and inputs.conf
No active forwardsCredentials folder missingVerify 100_prd-p-kpfrw_splunkcloud exists in etc\apps\
Cannot delete files during uninstallForwarder service still runningRun Stop-Service SplunkForwarder first, then use Control Panel → Uninstall
Multiple commands fail at oncePasting all lines as one commandRun each PowerShell command separately, one line at a time
.spl file won't extract as zipIt is tar.gz not zip formatUse tar -xzf command instead of Expand-Archive

Conclusion

You have successfully set up the Splunk Universal Forwarder on your Windows machine and configured it to send Windows Event Logs — Application, Security, and System — to Splunk Cloud in real time.

This is a foundational skill for any SOC analyst. In a real enterprise environment you would deploy this across hundreds of machines using a Deployment Server, but the core concepts are identical to what we did here.

What's next?

// Trial Tip
Splunk Cloud trials last 14 days with ~500 MB/day ingest. Windows Security logs can be very verbose — start with just Application and System to stay within limits, then enable Security logs once comfortable.
← Back to Blog