The Splunk Add-on for Unix and Linux (v6.0.1, the current version) contains a couple of curiously broad eventtype definitions in default/eventtypes.conf:
search = source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog
search = (NOT sourcetype=stash) error OR critical OR failure OR fail OR failed OR fatal
Which say that any Splunk search result where the data came from a file with extension ".log", or any search query containing the search term "error", will tag the results with a "nix" eventtype. Even if you are searching IIS or firewall logs, it's tagged nix, which is comical. This raises two questions:
1) what are the implications of the eventtype on day-to-day use? Is the eventtype tag really relevant, or is it legacy from earlier versions of Splunk?
2) has anybody written/deployed a tighter filter for [nix-all-logs] and [nix-errors] than the built-in ones? I imagine just adding 'NOT vendor=Microsoft' would make sense, but I'm sure there's better logic.