Hello,
As far as I check the Windows TA from version 5.x+ the sourcetype name will be WinEventLog and XmlWinEventLog and for compatibility reason there is a rename search-time process to name sourcetype that doesn't follow the above to wineventlog and xmlwineventlog (all lower case).
The sourcetype naming is not working for nested logs like Powershell/Operational or Sysmon/Operational so they are falling to the search-time rename. I found that the reason is that the stanzas ta-windows-fix-xml-source,ta-windows-fix-sourcetype,ta-windows-fix-classic-source doesn't work when there is nested path.
So the question (if someone from Splunk TA Dev team answer will be better): Is there any plan in the future this to be fixed and all sourcetypes will follow the WinEventLog and XmlWinEventLog naming convention or this convention will be applicable only to standard logs (everything not nested)?
I'm finding the same behavior (for powershell, sysmon, dcagent) here, but based on the props stanza in the Windows TA (version 8.0.0):
[(?::){0}WinEventLog:*]
I'm expecting the this to match with the MetaData:source
source::WinEventLog:Security
source::WinEventLog:Microsoft-Windows-Powershell/Operational
source::WinEventLog:Microsoft-AzureADPasswordProtection-DCAgent/Operational
source::WinEventLog:Microsoft-Windows-Sysmon/Operational
Then apply the transform ta-windows-fix-classic-source:
# fix classic source
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1
I would think this would match these above event logs, unless they are different from what I'm thinking.
Thanks!