Still no answers, but now I have more news: this whole time I've been looking at Splunk via the Windows app. But if I ignore that and just search on the workstation name, thousands of items show up. So now it seems that Splunk IS getting the info I want but for some reason the Windows app for Splunk refuses to display info for this one workstation. How strange is that?!! Can anyone troubleshoot the windows app?

I just ran netstat and it does show a connection to all 12 hosts. I then took a look at the firewall, ufw, and it shows activity from all 12 too. This is really baffling. I just installed some updates to the box and then rebooted, hoping that would be the end of it, but once again, all show up except the one in question.

If you run netstat on the ubuntu box, does it show connections from all 12 hosts?

Sadly that's not the case. All are on the same subnet and the firewall they go through shows that all 12 are sending data. I assume the problem is on the Ubuntu server but that's where my understanding stops. Anyone know how to troubleshoot Ubuntu? Thanks everyone

I'm unsure of what troubleshooting you have already tried, but I would start at the network. While understanding that you have 12 identical WindowsXP boxes, all using the default port, are they all on the same subnet with the same network rules applied to them? It sounds to me like this one you are having problems with may be behind a firewall that is blocking the forwarder traffic.