Getting Data In
Highlighted

will future versions of WMI not prefix all the sourcetype values with wmi?

SplunkTrust
SplunkTrust

Just curious if this is in the roadmap. It's more than a little inconvenient that when people use WMI, the sourcetypes are all "WMI:foo", and when they dont, the sourcetype is just "foo".

I find myself having to make macros and cover both cases and either duplicate stanzas in props.conf, or pull out what I can into transforms.conf. And this all seems silly since the underlying data is otherwise identical. It looks like the sort of thing that is a 'less-than-best' practice, ie abusing the sourcetype field to sneak in some other metadata.

Also, has anyone tried sourcetype renaming to make this problem go away?

Tags (2)
Highlighted

Re: will future versions of WMI not prefix all the sourcetype values with wmi?

Path Finder

I fully agree with that one

0 Karma