Why was the sourcetype changed on the isc dhcpd sourcetype??

[dave-safian-kyndryl]

#1772

Why did the sourcetype get changed from isc:dhcp to isc:dhcpd??

Docs indicate that it should be isc:dhcp
https://splunk.github.io/splunk-connect-for-syslog/1555/sources/vendor/ISC/dhcpd/

Also the Splunk add-on to use with this datasource (as documented) should be isc:dhcp
https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Sourcetypes

[rjha-splunk]

The document is not updated correct, we will fix it

If you need to change the sourcetype urgently please update splunk_metadata.csv and restart sc4s

isc_dhcpd,sourcetype,isc:dhcp

[dave-safian-kyndryl]

What is going to be the fix then? Are you going to leave the default sourcetype isc:dhcp or are you leaving it isc:dhcpd? Because leaving it isc:dhcpd means that a workaround is required in order for this data source to work with the ISC DHCP app..
https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Sourcetypes

[rjha-splunk]

we are not going to change it to dhcp as it can impact other customers as well, what we are going to do is:

1. Correct the doc
2. Provide the local parser to
   override the oob parser if a customer needs it.