Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Source metadata disappeared from Windows Events in Search

Ian0706
Explorer
‎01-19-2026 01:23 PM

I have a problem that had occurred a little while ago, the metadata for source has disappeared from all windows events, however it remains on other events.

This has not really been a problem up until now when setting up Enterprise Security, where some of the macros e.g. `powershell`, which selects events based on the source.

The strange part about this is problem is that field extractions based on the source still seem to work, e.g. the Sysmon app (adapted to work with plain text rather than xml) is extracting `process_name` properly. Does anyone know why this may be?

Any help is greatly appreciated.

Ian0706_0-1768857540474.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sankardevarajan
Path Finder
‎01-21-2026 05:24 AM
Run these to confirm:
Do the events really have a source at index time?

| metadata type=sources index=<your_windows_index>
``
If you see WinEventLog:Security, WinEventLog:Microsoft-Windows-PowerShell/Operational, etc., that proves the indexers know the true source.
Compare what search-time shows vs metadata

index=<your_windows_index> sourcetype=WinEventLog*
| stats count by source sourcetype
| head 20
If source is blank or looks wrong here while (1) shows real sources, you have an override at search time.

Where to fix it

1) Field Extractions & Aliases

  • Go to Settings → Fields → Field Extractions
    Filter for:
    • sourcetype=WinEventLog:* or XmlWinEventLog:*
    • Output field equals source (case-insensitive)
    • Also check Settings → Fields → Field Aliases for any:
      • FIELDALIAS-... = Provider_Name AS source
      • FIELDALIAS-... = Source AS source

        Fix: Disable or change the target field to something else (e.g., event_source, win_provider, provider_name).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎01-21-2026 02:26 PM

Hi @Ian0706 

Have you got 'source' in the Selected Fields on the left hand column? If not, can you see 'source' in the Interesting Fields section? If so click on source and ensure the 'Yes' button is selected.

livehybrid_0-1769034327487.png

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Solved! Jump to solution
Solution

sankardevarajan
Path Finder
‎01-21-2026 05:24 AM
Run these to confirm:
Do the events really have a source at index time?

| metadata type=sources index=<your_windows_index>
``
If you see WinEventLog:Security, WinEventLog:Microsoft-Windows-PowerShell/Operational, etc., that proves the indexers know the true source.
Compare what search-time shows vs metadata

index=<your_windows_index> sourcetype=WinEventLog*
| stats count by source sourcetype
| head 20
If source is blank or looks wrong here while (1) shows real sources, you have an override at search time.

Where to fix it

1) Field Extractions & Aliases

  • Go to Settings → Fields → Field Extractions
    Filter for:
    • sourcetype=WinEventLog:* or XmlWinEventLog:*
    • Output field equals source (case-insensitive)
    • Also check Settings → Fields → Field Aliases for any:
      • FIELDALIAS-... = Provider_Name AS source
      • FIELDALIAS-... = Source AS source

        Fix: Disable or change the target field to something else (e.g., event_source, win_provider, provider_name).

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎01-24-2026 05:09 AM

Thank you for the help, this was the exact issue, someone had a random calculation that overrode the source

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-20-2026 01:34 AM

What do you mean by "disappear"? Aren't you just not showing the field as selected? If you "open" the event view and see the fields associated with the event do you see the source field?

Reply
Solved! Jump to solution

Ian0706
Explorer
‎01-20-2026 05:23 AM

Within all fields, source does not exist. I have no clue what caused this to start happening as all other data that is not windows, has a source, I just noticed that it had happened.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...