Also you should told if you are using Splunk_TA_windows (also version) or have you just created those configurations by yourself? 

If you are using it have you installed it on all needed layers (UF - HF/IDX - SH) or only in some?

r. Ismo

Below is the config in TA_windows. No props or transforms. I did not configure it

[WinEventLog://Application]
disabled=0
index=*****

[WinEventLog://Security]
disabled=0
index=rhr_windows
blacklist=4674,5156

[WinEventLog://System]
disabled=0
index=*****

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Deployment]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Execution]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****

Splunk Version 8.2 but HF is on 8.1.5

Your configuration seems okay. I personally have not heard of any bug reported for Splunk that generates data in wrong sourcetypes.

You are also using the recent version of Splunk so that is even less likely to have that issue.

If you are sure that there are no props.conf or transforms.conf stanzas added/updated related to this data then you can contact Splunk support.

Will contact splunk support

One thing what you should still do is check those with btool on your HF (/UF). 

# For inputs on source system HF or was it UF?
splunk btool inputs list <stanza name here> --debug
# And for sourcetypes on your HF
splunk btool props list <sourcetype name here> --debug

That shows if there still is some other config files which overrides those settings. 

r. Ismo 

Will run btool as suggested. Will get back to you