Configure your Splunk Universal forwarder to send Sysmon logs to Splunk
Okay locate your input.conf file and edit with your favorite text editor. It should be located somewhere similar to this
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf
and add the following
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest