Splunk Mapping reverts to default source of WinEventLog regardless of RootA configuration

[britton-from-notion]

Hey there!

It looks like the uncoder RootA to Splunk translator does not reflect provided index and source type information from an SPL query. It reverts to a windows event log as a source despite windows event log not being present in my RootA configuration.

My guess is it’s happening somewhere around here and is related to the source mapping functionality.

Let me know if you've got any ideas on why this might be happening or how I could solve it! Thank you!

[Ginger-Headed]

Hi!

Log sources are defined by source and sourcetype field values. It is not based on an index name since the index name can be custom and not explicitly related to the log source.

Section default_log_source in the mapping field defines the log source for the render (destination query). However, we found another issue: it is not working correctly for some log sources. We will work on the fix.