trying to get WinEventlogs from SF to Indexer via HF. The logs are getting indexed but seems likes they are not getting parsed through TA as i am getting sourcetype as XMLWinEventLog instead or Wineventlog. Any help is appreciated.
Splunk_TA_Windows is installed on SF,HF,Indexers.
Check the following btool command to identify the rendering of the windows events.
$SPLUNK_HOME/bin/splunk btool inputs list <<input_name>> --debug | grep renderXML
If the value of the above parameter is set to true, then the events you receive will be in XML format, and hence the sourcetype.
If you want the data to be not ingested in XML format, you can set the parameter to false and all new events will be in classic format with WinEventLog sourcetype
Its fixed. it was an issue with inputs on forwarders.