Clarification on WinEventLog vs wineventlog source...

TheBravoSierra · ‎06-05-2023

Hi all,

I have data coming in, parsing and indexing correctly to a windows index. This data comes in with either one of two sourcetypes: "WinEventLog" and "wineventlog". The sources appear to be the same, so I am having difficulty understanding what corresponds to each sourcetype. Any help is appreciated. Thank you.

VatsalJagani · ‎06-05-2023

@TheBravoSierra - Are you having Sysmon data? That may have "wineventlog" (lower case) sourcetype value.

PickleRick · ‎06-05-2023

Since sourcetype is case-sensitive (regarding props.conf and event processing) so strictly technically these are two distinct sourcetypes. It seems though that for some reason (probably backwards compatibility) they share definitions in TA-windows.

Generally, you should be using the new name - WinEventLog.

Clarification on WinEventLog vs wineventlog sourcetype?

props.conf

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation