Configure your Splunk Universal forwarder to send Sysmon logs to Splunk

Okay locate your input.conf file and edit with your favorite text editor. It should be located somewhere similar to this

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

and add the following

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest