Solved: Getting sourcetype as XMLWinEventLogs?

KulvinderSingh · ‎11-26-2021

Hi All,

trying to get WinEventlogs from SF to Indexer via HF. The logs are getting indexed but seems likes they are not getting parsed through TA as i am getting sourcetype as XMLWinEventLog instead or Wineventlog. Any help is appreciated.

Splunk_TA_Windows is installed on SF,HF,Indexers.

regards,

tshah-splunk · ‎12-31-2021

Check the following btool command to identify the rendering of the windows events.

$SPLUNK_HOME/bin/splunk btool inputs list <<input_name>> --debug | grep renderXML

If the value of the above parameter is set to true, then the events you receive will be in XML format, and hence the sourcetype.

If you want the data to be not ingested in XML format, you can set the parameter to false and all new events will be in classic format with WinEventLog sourcetype

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

tshah-splunk · ‎12-31-2021

Check the following btool command to identify the rendering of the windows events.

$SPLUNK_HOME/bin/splunk btool inputs list <<input_name>> --debug | grep renderXML

If the value of the above parameter is set to true, then the events you receive will be in XML format, and hence the sourcetype.

If you want the data to be not ingested in XML format, you can set the parameter to false and all new events will be in classic format with WinEventLog sourcetype

---
If you find the answer helpful, an upvote/karma is appreciated

SinghK · ‎01-02-2022

Its fixed. it was an issue with inputs on forwarders.

sb-e · ‎01-23-2023

Hello SinghK,

Could you please expand on your fix, i might be in the same senerio.

Thank you.

Getting sourcetype as XMLWinEventLogs?

sourcetype

Windows

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases