Getting Data In
Highlighted

Change sourcetype of WinEventLog:Security at input time?

Motivator

How can you change the sourcetype of WinEventLog:Security at input time?

In inputs.conf, adding sourcetype= underneath a [WinEventLog:Security] stanza did not work - but adding index= did change the index properly.

0 Karma
Highlighted

Re: Change sourcetype of WinEventLog:Security at input time?

Splunk Employee
Splunk Employee

The sourcetype of WinEventLog:* events is set by props/transforms. (In the current of the Splunk for Windows app, at least. I would expect certain future versions to be rewritten to use modular inputs. It is possible that some versions also used the ***SPLUNK*** header processing. This mechanism is described here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Assignmetadatatoeventsdynamically and is controlled by the HEADER_MODE setting in props.conf, in conjunction with data added to the input stream by the collection program.) The only way you can really modify it effectively would be to use props/transforms.

0 Karma