One nice thing about Windows is that system logs and many application logs go to the same place.
Unfortunately, that place is not a file, so native hooks are required to access these events. Splunk makes those inputs available using stanzas of the [WinEventLog:LogName] form. For example, to index the Security log, the stanza simply looks like this:
[WinEventLog:Security]
There are a number of supported attributes, but the defaults are reasonable. The only attribute I have personally used is current_only, which is the equivalent of followTail for monitor stanzas. For instance, this stanza says to monitor the Application log, but also to start reading from now:
[WinEventLog:Application] current_only = 1
This is useful ...