Fix Splunk sourcetype to use colon separator (dmarc:failure) matching original convention

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
2026-05-24 21:05:24 +00:00 · 2026-02-20 21:05:08 +00:00
parent 2c5a65f88c
commit 2d7a56b740
1 changed files with 1 additions and 1 deletions
@@ -157,7 +157,7 @@ class HECClient(object):
        json_str = ""
        for report in failure_reports:
            data = self._common_data.copy()
-            data["sourcetype"] = "dmarc_failure"
+            data["sourcetype"] = "dmarc:failure"
            timestamp = human_timestamp_to_unix_timestamp(report["arrival_date_utc"])
            data["time"] = timestamp
            data["event"] = report.copy()