Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to override Source Type for Windows Eventlog

FritzWittwer_ol
Contributor
‎03-05-2013 05:57 AM

How do I change the sourcetype for evenets from Windows eventlog, it is usualy WinEventLog:, where logname may be for exameple System or Application. In the following inputs.conf configuration

[WinEventLog:System]
sourcetype=tidal_evtl
disabled = 0

the events arrive with a sourcetype of WinEventLog:System instead of tidal_evtl.

0 Karma
Reply

treinke
Builder
‎03-05-2013 06:18 AM

Using the props.conf file on the indexer might be the way to go. The following should make everything with a source of WinEventLog:System have a sourcetype of tidal_evtl.

[source::WinEventLog:System]
sourcetype = tidal_evtl
There are no answer without questions
Reply

FritzWittwer_ol
Contributor
‎03-05-2013 06:37 AM

Well this will not solve my problem, I have to assign different source types to the same event log on different servers, so I have to change it on the forwarder, not on the indexer.
I know not the proper way to do it in Splunk, but his is an app I inherited which relays on this.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...