Is it possible to only display a workflow on a certain sourcetype?
I have a lookup that takes the "EventCode" field in "WinEventLog:Security" sourcetype. However, this field also exists in Application and System logs, but the site the lookup is going to only has information about Security event.
"You can set up workflow actions that only apply to events that have a specified field or set of fields. ...you would declare http_status in the Apply only to the following fields setting.
...When more than one field is listed the workflow action is displayed only if the entire list of fields are present in the event."
Based on this information I thought I would be able to accomplish what I want by adding a second field that is not available in the System log, however, no matter what I add here, the workflow action is displayed for ALL events, even ones which do not have either field.
Its not a search results issue. I have a workflow set up which has "Apply only to the following fields" set to "EventCode". However, this field is available in Security log events and System log events. I want to limit this action to only show for Security log events.
In doing some additional testing I think there may be a different behavior (bug) in version 6. According to the documentation (http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/CreateworkflowactionsinSplunkWeb):
Then you need to adjust your search to select only the events you want to see (or remove those you don't want to see). For example, 'sourcetype="WinEventLog:Security" LogName="Security" | ...'