Regarding agent vs agentless data / event gatering, WMI (agentless) seems easier to setup from within Splunk to pull in the data from remote Windows servers. So why would someone deploy Splunk as a Forwarder (agent) on their Windows servers to push the data in?
there's also some good info in the official docs here:
there's also some good info in the official docs here:
Please review this topic in our community wiki for more detail regarding this question.
http://www.splunk.com/wiki/Deploy:SnareVwmiVforwarding
Also,