Fix Splunk sourcetype to use colon separator (dmarc:failure) matching original convention

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
2026-06-25 03:24:18 +00:00 · 2026-02-20 21:05:08 +00:00
parent 23f2cb99c3
commit 851ac3b6f2
1 changed files with 1 additions and 1 deletions
@@ -155,7 +155,7 @@ class HECClient(object):
        json_str = ""
        for report in failure_reports:
            data = self._common_data.copy()
-            data["sourcetype"] = "dmarc_failure"
+            data["sourcetype"] = "dmarc:failure"
            timestamp = human_timestamp_to_unix_timestamp(report["arrival_date_utc"])
            data["time"] = timestamp
            data["event"] = report.copy()