When constructing a search to render a table of count of events by source I noticed that splunk was treating the identical input sources as different based upon differences in their source name character case. For example, one result rendered WindowsEvent:Application and WindowsEvent:application as different source types.
I reviewed inputs.conf for hosts associated with WindowsEvent:application events and verified that their their input definitions did not contain a lower-case instance of "A" in source name "Application".
Can anyone think of anything that could account for such a change anywhere along the data processing path between universal forwarders and search heads? -our path includes UF --> HF --> IDX --> SH.
I've been working around this problem by augmenting searches with a search time function of | eval source=lower(source) | stats count(host) by source... but, I'm worried that other folks might know about this issue and thus not incorporate such workarounds so I'd like to correct the problem at the source. -pun intended
All components of our splunk implementation (universal forwarders and servers) are >= 6.0