As the question above states;
Since the 6.2.1 update of Splunk, our active directory inputs are no longer gathering 'admonEventType=Sync' events.
Sync events are the main meat of the AD indexes, containing the actual listing for objects.
Our last _time entry is 12/16/2014 around 10am, immediately after the 6.2.1 update.
The other 3 admonEventTypes are still collected. Start, Scheme, update.
I have recreated the inputs on 2 servers in different location, and the same behavior remains. Only 3 of the event types are being collected.
The solution is to remove the following line from the admon stanza in inputs.conf file in the system\default folder:
baseline=0
Adding baseline=1 to the inputs.conf in the system\local folder has no effect from what I could see. This issue effects all versions of 6.2 and 6.3.
Splunk support was able to replicate this bug and have submitted a ticket; SPL-104212
Awaiting response, and I will post any remediation steps here.