Thank you Hunters for taking the time to respond, It is very much apreciated. I would also prefer to assign correct sourcetype at input/parsing/indexing time however I don't have this luxury in my setup. The client has decided as per design to set right from the input/parsing time the custom sourcetypes. This cannot be altered and was already source of a lot of discussions at the time of design. Now I am trying to make ES work without duplicating & tweaking every out of the box Splunk add-ons. Now regarding your answer, can you elaborate your point about the impossibility to "fix CIM compliance issues at search time? Isn't it how most of CIM mappings are performed OOTB with SPLUNK add-ons? Before reading your comment I would have thought it was the best place for all field extractions, eventtyping... In my situation the search in ES for "sourcetype=NewSourcetype" actually returns all events with proper CIM mappings (Tags, Eventtypes, CIM aligned field extractions). This means that the search type sourcetype renaming works and that all search time props/Transform do apply correctly. for this search, the tag "authentication" is applied correctly for thousands of events. The issue occurs only when searching by the Tag. e.g. "sourcetype=NewSourcetype tag=authentication" . The search doesn't return any events. It seems that sourcetype renaming at search time only works when searching by sourcetype... this is very odd. Does it clarify the issue? I can craft some screenshot if needed. Kind regards Vincent ... View more