Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Clarification on WinEventLog vs wineventlog sourcetype?

TheBravoSierra
Path Finder
‎06-05-2023 09:45 AM

Hi all,

I have data coming in, parsing and indexing correctly to a windows index. This data comes in with either one of two sourcetypes: "WinEventLog" and "wineventlog".  The sources appear to be the same, so I am having difficulty understanding what corresponds to each sourcetype. Any help is appreciated. Thank you.

 

Labels (2)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-05-2023 10:16 PM

@TheBravoSierra - Are you having Sysmon data? That may have "wineventlog" (lower case) sourcetype value.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-05-2023 01:17 PM

Since sourcetype is case-sensitive (regarding props.conf and event processing) so strictly technically these are two distinct sourcetypes. It seems though that for some reason (probably backwards compatibility) they share definitions in TA-windows.

Generally, you should be using the new name - WinEventLog.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...