Getting Data In

Why are the Index and SourceType names in our Active Directory forests not matching?

New Member

We have two Active Directory forests in our enterprise with Universal Forwarders installed on all of our domain controllers. The sourcetype and index names in one forest do not match up with the sourcetype and index names of the other forest. Why is that and how can I get the names to be the same? I don't want to have to build different reports for the same thing because the sourcetype and index names are different.

SourceType name in Forest A: "wineventlog"
SourceType name in Forest B: "main"

Index name in Forest A --> "XmlWinEventLog: Security"
Index name in Forest B --> "WinEventLog:Security"

0 Karma


Looks like B is using the default config files. If you want the two to match, you have two ways to do it. Either you can change the data in the config files at the source, or at the forwarder, or you can override the metadata at index time.

There are a lot of examples of the last method on the site. Here's one to get you started, just in case you can't get the authority and agreement to fix the default config files on your forest B.

0 Karma

New Member

I believe my UFs are sending data straight to the Indexer therefore I would want to make modifications to the indexer right? I have been looking over the links but still not 100% clear what to change and I don't want to break anything

0 Karma

Path Finder

hey johannterc, did you find a resolution?

I have a similar problem where my wineventlog:security logs are being sent to index=wineventlog (which is what I want and have configured in the inputs.conf), and to index=main but in xml format (which I don't want)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...