Greetings @agarws8,
If the forwarder was not properly installed (like what would happen if a VM image was just placed on a new server), the instance.cfg file will be "wrong" (identical to a different server), and the values of the following will be wrong. Make sure they properly match the host (and then restart the forwarder)
$SPLUNK_HOME\etc\system\local\inputs.conf
[default]
host = [wrong host?]
$SPLUNK_HOME\etc\system\local\server.conf
[general]
serverName = [wrong host?]
Note that this could be on the server you think it is OR it could be on a different host.
If you have windows event monitoring set up, find a popular event code that displays the machine name and compare it to the host value looking for differences.
Cheers,
Jacob
... View more