I have splunk deployed on a debian VM and it seems to be running fine (collects syslog data etc). No problems there.
Now I want to collect info from my windows machines. I installed the universal forwarder on my domain controller using the 'local' context as the remote context failed. This is because on a domain controller there is no such thing as a local account/permission which the 'remote' context install requires. Annoying but collecting data from one server is fine for now - I only have another three windows machines so can install a forwarder on them too.
Splunk is now receiving data from the domain controller but I have two issues:
It seems data is not being collected in the right way. Where have I gone wrong?
WRT to question 1 : the host issue has to do with how Splunk 'automagically' finds hostnames. In the event log, it's taken directly from the event, because the host is part of the data. (NOT the local host, as event log forwarding could create entries for many hosts on one machine)
In the performance case, there is no host in the raw data. The normal host rules apply. You can force a specific treatment by configuring an explicit host= on the forwarder or a props rule on the indexer.
Part of the reason why you haven't seen any answers is that you added your comments as answers, so your question has been showing as having two answers in the list.
Thank you for answering. I'll make sure I add any future updates as comments to avoid that in future.
I am seeing the hostname issue with syslog entries too so that should a useful reference (some entries show hostname and some show the IP).
Will read up on the Windows app problem. Thanks for pointing me in the right direction.