I have splunk 6 running on a windows server 2008 r2 domain controller and a spunk 6 forwarder running on windows xp.
These are used to read in evt files on xp and evtx on 2008r2. On both machines the message field of the event log is blank.
I have seen the blog about event logs in splunk 6, with the ability to suppress the message as an option (which should not be on as default?)
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
I have tried setting the input.conf as shown but this did not help:
[WinEventLog:*] suppress_text = 0 disabled = 0
[monitor://[file location here]] suppress_text = 0
Neither of which are helping. As a work around I have installed splunk 5 on the universal forwarder and this works as expected.