From 851ac3b6f2ebd48f1e6af2b17d8495ba5e2a8f37 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 20 Feb 2026 21:05:08 +0000
Subject: [PATCH] Fix Splunk sourcetype to use colon separator (dmarc:failure)
 matching original convention

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
---
 parsedmarc/splunk.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parsedmarc/splunk.py b/parsedmarc/splunk.py
index f800c41..da449d9 100644
--- a/parsedmarc/splunk.py
+++ b/parsedmarc/splunk.py
@@ -155,7 +155,7 @@ class HECClient(object):
         json_str = ""
         for report in failure_reports:
             data = self._common_data.copy()
-            data["sourcetype"] = "dmarc_failure"
+            data["sourcetype"] = "dmarc:failure"
             timestamp = human_timestamp_to_unix_timestamp(report["arrival_date_utc"])
             data["time"] = timestamp
             data["event"] = report.copy()