1) Running the following search:

host=rbal* OR host=test index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 | stats values(_sourcetype) values(sourcetype) values(host) values(source)

2) Produces the following values for the given fields (field: value):
values(_sourcetype): WinEventLog:Security
values(sourcetype):wineventlog
values(host): EBRIAN
values(source): WinEventLog:Security

Note: The _sourcetype value of WinEventLog:Security is the original value of the sourcetype before it is renamed to wineventlog.

3) Given the above information, when we run the following search we see a count of 73 results:

host= rbal index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count
73 results

note: normally, field values are case in-sensitive so searching sourcetype=WinEventLog / sourcetype=wineventlog should be equivalent. However when we are dealing with sourcetype rename’s the target name is case sensitive, unless you “OR” in another sourcetype, then the renamed sourcetype is not case sensitive.

4) To illustrate this:

a) we take a sourcetype that has been renamed (ie: WinEventLog:Security has been renamed to wineventlog) >>>
etc/apps/Splunk_TA_windows/default/props.conf

[WinEventLog:Security]
rename = wineventlog

and run a search using a different case (camel case) for the sourcetype value and we get 0 results where we should expect to see 73 results.

host=rbal index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog
| stats count
** 0 results**

b) if we OR another sourcetype to the SPL we get results now and the value of the sourcetype is reported in the interesting fields as the target sourcetype name “wineventlo”

host=rbal index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count
73 results

c) What is odd is that running the same search with either one of the sourcetypes by themselves or removing the host produces no results:

host=rbal index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog
| stats count
0 results

host=rbal index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=XmlWinEventLog
| stats count
0 results

without host
index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count
** 0 results**

d)Even stranger, if we add an asterisks to the end of the host value, it produces 0 results.

host=rbal* index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=WinEventLog OR sourcetype=XmlWinEventLog
| stats count
0 results

e) using the asterisks with the correct matching case for the sourcetype value (lowercase) produces the expected values

host=rbal* index=winevent_s
earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0
sourcetype=wineventlog
| stats count
73 results

This behavior is similar to old JIRA SPL-122984 “Searching renamed sourcetype is case-sensitive” which was documented as a known issue in 7.0 and 7.1 (https://docs.splunk.com/Documentation/Splunk/7.1.0/ReleaseNotes/KnownIssues). Also a new JIRA # however it doesn’t look like the 7.2+ known issues

an example of a sourcetype rename:
etc/apps/Splunk_TA_windows/default/props.conf
[WinEventLog:Security]
rename = wineventlog

props.conf spec:
rename =
* Renames [] as at search time
* With renaming, you can search for the [] with
sourcetype=
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string