NOTE: based on the OP comments, this is a common problem specifically for WinEventLog and use case mapping when uploading a CSV into WinEventLog. However, this could pertain to their situation as well since the actual source of the data was not stated (CSV, JSON, etc). ====================================== The issue is more to the 'transform.conf' vs the 'input.conf'. Since this requires the 'transform.conf' to be edited, you will need CLI access and cannot perform this via the GUI itself (cannot be accomplished solely via: Settings --> Fields --> Field Alias) since the 'transform.conf' cannot be edited from within the GUI. (If there is a way to do this, PLEASE let me know!) Props.conf & transforms.conf 1. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf" [windows_csv] rename = WinEventLog [source::EventCode.csv] TRANSFORMS-fixcsv = windows-classic-csv =========================================== 2. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf" [windows-classic-csv] DEST_KEY = MetaData:Source REGEX = ,wineventlog:(\S+), FORMAT = source::WinEventLog:$1 =========================================== -Restart Splunkd (when acceptable to do so) for config changes to take effect, since you edited the "transform.conf" file. -Import file should be named 'EventCode.csv' -Sourcetype during add data import should be 'windows_csv' (copied from regular csv sourcetype)
... View more