Our Splunk environment is producing many Windows eventlog entries with broken sourcetypes.
When looking at the source log line, it's clear with no strangeness, but the sourcetype appears broken.
I've been through the deployment server inputs.conf and transforms.conf but can't see anything obvious.
Is there anything I'm missing?
Thanks.
Just seen the Splunk_TA_windows app is 4.8.4, so I'm assuming thats the problem.
Hi @sternbernard,
check if in inputs.conf stanza related to those events, there's the sourcetype assignment or if there's an automatic assignment.
If not, add it the correct value.
Ciao.
Giuseppe
Thanks.
Just seen the Splunk_TA_windows app is 4.8.4, so I'm assuming thats the problem.
Hi @sternbernard,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉