Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Source metadata disappeared from Windows Events in Search

Ian0706
Explorer
‎01-19-2026 01:23 PM

I have a problem that had occurred a little while ago, the metadata for source has disappeared from all windows events, however it remains on other events.

This has not really been a problem up until now when setting up Enterprise Security, where some of the macros e.g. `powershell`, which selects events based on the source.

The strange part about this is problem is that field extractions based on the source still seem to work, e.g. the Sysmon app (adapted to work with plain text rather than xml) is extracting `process_name` properly. Does anyone know why this may be?

Any help is greatly appreciated.

Ian0706_0-1768857540474.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sankardevarajan
Path Finder
‎01-21-2026 05:24 AM
Run these to confirm:
Do the events really have a source at index time?

| metadata type=sources index=<your_windows_index>
``
If you see WinEventLog:Security, WinEventLog:Microsoft-Windows-PowerShell/Operational, etc., that proves the indexers know the true source.
Compare what search-time shows vs metadata

index=<your_windows_index> sourcetype=WinEventLog*
| stats count by source sourcetype
| head 20
If source is blank or looks wrong here while (1) shows real sources, you have an override at search time.

Where to fix it

1) Field Extractions & Aliases

  • Go to Settings → Fields → Field Extractions
    Filter for:
    • sourcetype=WinEventLog:* or XmlWinEventLog:*
    • Output field equals source (case-insensitive)
    • Also check Settings → Fields → Field Aliases for any:
      • FIELDALIAS-... = Provider_Name AS source
      • FIELDALIAS-... = Source AS source

        Fix: Disable or change the target field to something else (e.g., event_source, win_provider, provider_name).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎01-21-2026 02:26 PM

Hi @Ian0706 

Have you got 'source' in the Selected Fields on the left hand column? If not, can you see 'source' in the Interesting Fields section? If so click on source and ensure the 'Yes' button is selected.

livehybrid_0-1769034327487.png

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Solved! Jump to solution
Solution

sankardevarajan
Path Finder
‎01-21-2026 05:24 AM
Run these to confirm:
Do the events really have a source at index time?

| metadata type=sources index=<your_windows_index>
``
If you see WinEventLog:Security, WinEventLog:Microsoft-Windows-PowerShell/Operational, etc., that proves the indexers know the true source.
Compare what search-time shows vs metadata

index=<your_windows_index> sourcetype=WinEventLog*
| stats count by source sourcetype
| head 20
If source is blank or looks wrong here while (1) shows real sources, you have an override at search time.

Where to fix it

1) Field Extractions & Aliases

  • Go to Settings → Fields → Field Extractions
    Filter for:
    • sourcetype=WinEventLog:* or XmlWinEventLog:*
    • Output field equals source (case-insensitive)
    • Also check Settings → Fields → Field Aliases for any:
      • FIELDALIAS-... = Provider_Name AS source
      • FIELDALIAS-... = Source AS source

        Fix: Disable or change the target field to something else (e.g., event_source, win_provider, provider_name).

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎01-24-2026 05:09 AM

Thank you for the help, this was the exact issue, someone had a random calculation that overrode the source

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-20-2026 01:34 AM

What do you mean by "disappear"? Aren't you just not showing the field as selected? If you "open" the event view and see the fields associated with the event do you see the source field?

Reply
Solved! Jump to solution

Ian0706
Explorer
‎01-20-2026 05:23 AM

Within all fields, source does not exist. I have no clue what caused this to start happening as all other data that is not windows, has a source, I just noticed that it had happened.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...