Closed bmk666 closed 5 years ago
Note: this only applies if you are using the 5.x release of TA-Windows for Splunk. The 4.x release still uses sourcetype: https://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#WinEventLog_extraction_changes
@jamesarmitage - v4 does still use sourcetype, but source is both v4 & v5 compatible
this has been addressed in the macro
For me i have to change all the macros:
from index=INDEX sourcetype="WinEventLog:Application" to index=INDEX source="WinEventLog:Application"
because only sysmon have its own sourcetype: "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
All other windows logs have sourcetype: "xmlwineventlog"
so i have to use "source=WinEventLog:System", "source=WinEventLog:Application",....
BR, BMK