From 2d7a56b74049960683d10abe5bd93c726218fc5a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 20 Feb 2026 21:05:08 +0000
Subject: [PATCH] Fix Splunk sourcetype to use colon separator (dmarc:failure)
 matching original convention

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
---
 parsedmarc/splunk.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parsedmarc/splunk.py b/parsedmarc/splunk.py
index 82174ac..b9d2c0d 100644
--- a/parsedmarc/splunk.py
+++ b/parsedmarc/splunk.py
@@ -157,7 +157,7 @@ class HECClient(object):
         json_str = ""
         for report in failure_reports:
             data = self._common_data.copy()
-            data["sourcetype"] = "dmarc_failure"
+            data["sourcetype"] = "dmarc:failure"
             timestamp = human_timestamp_to_unix_timestamp(report["arrival_date_utc"])
             data["time"] = timestamp
             data["event"] = report.copy()