Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to override Source Type for Windows Eventlog

FritzWittwer_ol
Contributor
‎03-05-2013 05:57 AM

How do I change the sourcetype for evenets from Windows eventlog, it is usualy WinEventLog:, where logname may be for exameple System or Application. In the following inputs.conf configuration

[WinEventLog:System]
sourcetype=tidal_evtl
disabled = 0

the events arrive with a sourcetype of WinEventLog:System instead of tidal_evtl.

0 Karma
Reply

treinke
Builder
‎03-05-2013 06:18 AM

Using the props.conf file on the indexer might be the way to go. The following should make everything with a source of WinEventLog:System have a sourcetype of tidal_evtl.

[source::WinEventLog:System]
sourcetype = tidal_evtl
There are no answer without questions
Reply

FritzWittwer_ol
Contributor
‎03-05-2013 06:37 AM

Well this will not solve my problem, I have to assign different source types to the same event log on different servers, so I have to change it on the forwarder, not on the indexer.
I know not the proper way to do it in Splunk, but his is an app I inherited which relays on this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...