Cloning is not in play with the systems I was having trouble with. I have seen (as I mentioned here: http://splunk-base.splunk.com/answers/28879/host-value-for-windows)

COMPUTER NAME (all upper case, not fqdn)
computer name (all lower case, not fqdn)
computer.domain.com.au (the value I actually want, canonical DNS fqdn)
computer.windows-domain.com.au (derived from AD info if present)

It usually highly improbable that Splunk implementers get to rename windows boxes as they see fit, and there's no built in way to normalise the hostname so this results in endless hacking to sort out.

We have seen this happen when a system is renamed or cloned AFTER the Splunk forwarder is installed. The Splunk files are not updated with the new name.

You can remove and re-install the forwarder or update the $SPLUNK_HOME\etc\system\local files with the proper hostname.

The trouble is, tracking down those hosts in an efficient manner.

I've been affected by and tracking this issue for more than a year. There doesn't seem to be any good answer (this isn't one either I'm afraid), and windows hosts seem to return an essentially random host value based on the computer name somehow :-).

Can we please have a proper solution to this in the windows app, which allows the user at setup-time to require ALL events to be indexed with either FQDN or computer name, or at any rate ONE VALUE PER COMPUTER. I've seen 'solutions' which range from hard-coding the name in inputs.conf (which isn't available with WMI anyway), messing around with props and transforms, to rewriting the data at index time. In my experience, Splunk admins can't control how a given windows box has been setup, so we must have a way to work around this reliably and consistently. Many shops, and nearly all the larger ones, are multiplatform, and it's high time that the windows and unix apps behaved the same way. Even in an all-windows site, you will see interesting variations on the hostname, which make searches and UI elements needlessly painful to construct.

Yes, inputs.conf can and will affect it. See Ledio's post below.
I cant tell why it switches from one host to another though.. You are not grabbing event logs from CPNameB through WMI or anything else, are you?

The Host field in events coming from Windows Event Logs is set by the value in "ComputerName" field. To overwrite this, set the value of the Host field in etc\apps\windows\local\inputs.conf You can set it globally under the [default] stanza, or you can set it individually for each Event Log channel:

[WinEventLog:Application]
host = host.ad.com
...

Not currently, due to other things happening on the server right now. Probably later.

Would this be affected by inputs.conf? This had the same splunk install package installed on it as other servers which are correctly reporting their ComputerName as host.

can you show us your monitor stanzas in inputs.conf?