I have added about 40 winservers through WMI on a forwarder and found that there is only 30 servers on the list. Does anybody meet the problem before? And can there be a solution ?
I believe this is a common issue when doing WMI remotely. If I'm not mistaken, the solution is to poll less servers. If you had two splunk instances polling, you could have each connecting to just to 20 servers and that may work fine. At least under normal load conditions.
Setting up forwarders on all 40 servers I think is the most robust solution. That way you can collect all the data locally, and windows event logs can be loaded using the WinEventLog interface instead of WMI, which is better.
Related question: