I have a few windows machines Light Forwarding in to a central indexer, sending just WinEventLogs for now. For most hosts, its events' ComputerName is the same as the host field. For a couple, it's not.
It's causing confusion as server A, which shows up at ComputerName A in its events, comes through with a host field of B, the name of a different existing server not currently running a Splunk forwarder.
Where does Splunk on Windows get its host: field from, and can it be explicitly be overridden?