Thank you for the suggestion.

I've heard of the forwarder.
We've got many machines (1800 hosts wouldn't be an exaggerated number), so trying to avoid installing the UF on each system and streaming the logs to Splunk. Concerns have been raised about network bandwidth utilization and the amount of data that will be sent to Splunk and how doing so might pose challenges with the amount of data we can ingest.

As such wanted to provide an "on-demand" way of doing it. Thinking was we might utilize Ansible to connect to the host, tar up the data and upload it to Splunk.

If you have Ansible then you have an easy way to install a UF on each machine. The amount of bandwidth used likely will be less than that used when uploading a tarball and the data size will be the same. Either, way you still have the same ingestion limit. Running a UF on a machine uses very little resources.

Loading log files on demand introduces a significant delay between when an event occurs and when Splunk can detect it.

Agreed, distribution of the software is trivial, but constantly sending logs will generate much more traffic than the occasional request for some logs. If Splunk doesn't support a user "dropping" a file then maybe it not the right tool in this situation. Thank you for your feedback.

I didn't say Splunk couldn't do it. Splunk can do it. Install a single forwarder on a system that monitors an empty directory. Drop files in there when you wish and they will be indexed.

That isn't a very proactive way of monitoring your machines, however.

UFs can be configured to pull only selected Windows event codes to help reduce the amount of traffic.