How to override Source Type for Windows Eventlog

FritzWittwer_ol · ‎03-05-2013

How do I change the sourcetype for evenets from Windows eventlog, it is usualy WinEventLog:, where logname may be for exameple System or Application. In the following inputs.conf configuration
[WinEventLog:System] sourcetype=tidal_evtl disabled = 0

the events arrive with a sourcetype of WinEventLog:System instead of tidal_evtl.

treinke · ‎03-05-2013

Using the props.conf file on the indexer might be the way to go. The following should make everything with a source of WinEventLog:System have a sourcetype of tidal_evtl.

[source::WinEventLog:System]
sourcetype = tidal_evtl

There are no answer without questions

FritzWittwer_ol · ‎03-05-2013

Well this will not solve my problem, I have to assign different source types to the same event log on different servers, so I have to change it on the forwarder, not on the indexer.
I know not the proper way to do it in Splunk, but his is an app I inherited which relays on this.

How to override Source Type for Windows Eventlog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How to override Source Type for Windows Eventlog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability