Hi,
all our UF and HF use the following for the Windows input:
[WinEventLog://Security]
sourcetype=XmlWinEventLog:Security
renderXml=1
...
All UF and the cluster is Splunk 7.2.4.2
I recently installed a few HF and there used the latest Splunk Code: 8.0.2
My 7.* UF arrive with the following source type and source:
XmlWinEventLog:Security XmlWinEventLog
My 8.* HF arrive instead with:
WinEventLog:Security xmlwineventlog
Any Ideas what's going wrong?
I have the Splunk_TA_windows installed on the Search Head which renames all the source types, but that of course applies to all win source types. But it looks like the source type renaming only applies for the HF and it still does not explain why the source is changed as well.
thx
afx
↧