Why is the Splunk Web service not running after an upgrade to 6.2? Learn more »
Regarding agent vs agentless data / event gatering, WMI (agentless) seems easier to setup from within Splunk to pull in the data from remote Windows servers. So why would someone deploy Splunk as a Forwarder (agent) on their Windows servers to push the data in?
there's also some good info in the official docs here:
Please review this topic in our community wiki for more detail regarding this question.