Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change sourcetype of WinEventLog:Security at input time?

Jason
Motivator
‎11-12-2012 04:39 AM

How can you change the sourcetype of WinEventLog:Security at input time?

In inputs.conf, adding sourcetype= underneath a [WinEventLog:Security] stanza did not work - but adding index= did change the index properly.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-14-2012 12:43 PM

The sourcetype of WinEventLog:* events is set by props/transforms. (In the current of the Splunk for Windows app, at least. I would expect certain future versions to be rewritten to use modular inputs. It is possible that some versions also used the ***SPLUNK*** header processing. This mechanism is described here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Assignmetadatatoeventsdynamically and is controlled by the HEADER_MODE setting in props.conf, in conjunction with data added to the input stream by the collection program.) The only way you can really modify it effectively would be to use props/transforms.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...