I have a universal forwarder sending the application logs for a windows 2003 server we have that only runs one application.
Here is what my inputs.conf stanza looks like:
[WinEventLog:Application]
index=radical_index
sourcetype=bizznezz
However the logs show up in splunk as WinEventLog:Application no matter how many times i restart the service.
Interestingly as a test i changed the hostname on the inputs.conf and that change was immediately reflected