After installing Workday Add-on version 2.2.0, we noticed that the sourcetype changed from workday:user_activity to workday:useractivity. This change caused our Enterprise Security Authentication data model to stop populating for Workday data. After investigating, we confirmed that the issue was due to the sourcetype change. In version 2.2.0, the following is defined: default/inputs.conf: sourcetype = workday:useractivity We reverted back to an older version of the add-on, and the Authentication data model began working again as expected. Our questions are: Is workday:useractivity the intended sourcetype going forward for future versions of the Workday Add-on? There are many existing references in the add-on (and ES/CIM usage) to workday:user_activity, but not to workday:useractivity. Is this mismatch expected or will documentation/configuration be updated? While we can override the sourcetype locally (for example, via local/inputs.conf), we are hesitant to do so because of the number of existing references to user_activity. We want to avoid unintended side effects or breakage elsewhere. Any guidance on the recommended approach for ES/CIM compatibility would be appreciated.
... View more
