I don't want to hijack this thread but I'm having a similar issue and thought you may be able to tell me where I'm going wrong.
I have splunk deployed on a debian VM and it seems to be running fine (collects syslog data etc). No problems there.
Now I want to collect info from my windows machines. I installed the universal forwarder on my domain controller using the 'local' context as the remote context failed. This is because on a domain controller there is no such thing as a local account/permission which the 'remote' context install requires. Annoying but collecting data from one server is fine for now - I only have another three windows machines so can install a forwarder on them too.
Splunk is now receiving data from the domain controller but I have two issues:
The data shows up as coming from two different hosts. Performance data shows up coming from 'FRED' whereas event log data shows up from 'fred'.
None of the 'Windows App' reports or searches work because the sources don't match up. For example the performance searches are looking for source="wmi:cpu" but data coming in from the server is tagged with source=Perfmon:CPU Load
It seems data is not being collected in the right way. Where have I gone wrong?
... View more