So I found the solution, and as usual "It was dumb" The resolution was that the hostname field was ignored by the input for some reason and the data got processed as the actual hostname of the host, not the name I gave it. When I search for the actual hostname the logs have been ingested despite the warning about DC binds. I suppose when you use that sourcetype Splunk ingests the data and runs it through the TA as it came from a native forwarder. I suspect some of the data might be missing, but I'm willing to accept that given the lack of resolution. Marking this solved for now.
... View more