Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our DMZ Universal Forwarders to DC in the DMZ (IP=205.x.x.x) and point anything else to our internal DC? I know you can whitelist files and host using REGEX, but what about IP? or with REGEX of IP? I would rather not have to adjust or keep a list of what servers are in DMZ and update list as they are added and removed.
No, you cannot; whenever you duplicate any WinEventLog stanza, the last one has precedence and all earlier stanzas are completely ignored. You have 2 options: you can stand up 2 instances of Splunk on the forwarder and configure each one with one of the stanzas (this is really not a big deal and works great) or you can carve out one set of events and send them to a logfile using Windows tools and Splunk that logfile. This answer discusses the latter solution: