I am looking at Splunk for Unix TA. I see the /var/log/messages input and for the life of me I can't find in this app where it's getting it's sourcetype of "syslog". Skimmed props.conf on the TA (why does the TA have a props?) and the splunkforunix_app too.
why does the TA have a props?
Splunk has config files for separately for "global and app/user contexts", so that maintenance would become easy and simple.
when the number of users and apps grow, these global and app/user contexts help in administration duties.