I've recently updated the Splunk_TA_windows from version 4.1.8 to version 8.12. As I went through the documentation I noticed there was a new setting under inputs.conf that mentioned to set "renderXml=0" in order to keep WinEventLogs in "classic" or "friendly" mode. 

After making that update to the TA's deployed to all UF's and to the Indexer Cluster I'm now getting the same event under both formats. 

e.g., If I have an EventCode=4624 for a specific host, I run a search and I can see the same event (different format) with sources:

XmlWinEventLog:Security AND WinEventLog:Security

I only want the WinEventLogs in classic mode, don't need the XML at the moment. 😖

If I set renderXml=true I ONLY get XmlWinEventlogs.

Some Details:

- I ran btool for inputs on a dev UF and I can see that renderXml=false

- I ran btool for inputs in one indexer and I can see that renderXml=false

- Splunk_TA_windows version 8.1.2 

My inputs.conf file

[WinEventLog://Security]
disabled = 0
renderXml = false

Does anyone have any idea why I'm still seeing both formats?