Hi pmac22,
Yes, this issue is because of sourcetype changes for WinEventLog data in latest Splunk add-on for Windows.
If you are getting data using Splunk_TA_windows latest version(v5.0.1) then query sourcetype="WinEventLog:Security" won't work.
Reason: In Splunk_TA_windows v5.0.x, Source types WinEventLog:* are merged and all the WinEventLog Data would be populated in a common "WinEventLog" Source type and would be differentiated by sources (which is unchanged).
That's why query (source="WinEventLog:Security) is working.
Solution: If you have reinstalled Splunk_TA_windows v4.8.4 then check if inputs are properly configured and props.conf and transforms.conf changes are reverted on forwarder as well as SH/IDX.
Note: The add-on Splunk_TA_windows v5.0.x is not compatible with Exchange app 3.4.x.
... View more