Actually add files

Vagrant/resources/splunk_forwarder/inputs.conf

@@ -3,27 +3,27 @@ index = sysmon
 disabled = false
 renderXml = true
 
-[monitor://c:\programdata\osquery\log\osqueryd.results.log]
+[monitor://c:\Program Files\osquery\log\osqueryd.results.log]
 index = osquery
 disabled = false
 sourcetype = osquery:json
 
-[monitor://c:\programdata\osquery\log\osqueryd.snapshots.log]
+[monitor://c:\Program Files\osquery\log\osqueryd.snapshots.log]
 index = osquery
 disabled = false
 sourcetype = osquery:json
 
-[monitor://c:\programdata\osquery\log\osqueryd.INFO.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.INFO.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-info:syslog
 
-[monitor://c:\programdata\osquery\log\osqueryd.WARNING.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.WARNING.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-warn:syslog
 
-[monitor://c:\programdata\osquery\log\osqueryd.ERROR.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.ERROR.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-error:syslog

Vagrant/resources/splunk_server/macros.conf

@@ -69,3 +69,7 @@ iseval = 0
 [remote_thread_whitelist]
 definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
 iseval = 0
+
+[indextime]
+definition = _index_earliest=-15m@m AND _index_latest=now
+iseval = 0