How can you change the sourcetype of WinEventLog:Security
at input time?
In inputs.conf
, adding sourcetype=
underneath a [WinEventLog:Security]
stanza did not work - but adding index=
did change the index properly.
The sourcetype of WinEventLog:* events is set by props/transforms. (In the current of the Splunk for Windows app, at least. I would expect certain future versions to be rewritten to use modular inputs. It is possible that some versions also used the ***SPLUNK***
header processing. This mechanism is described here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Assignmetadatatoeventsdynamically and is controlled by the HEADER_MODE
setting in props.conf, in conjunction with data added to the input stream by the collection program.) The only way you can really modify it effectively would be to use props/transforms.