with the following search you can get information about you inputs: index | sourcetype | app (where the input config is)
| rest https://localhost:8089/services/data/inputs/all | table index, sourcetype, eai:acl.app
This should give you a rough idea about the origin.
I haven't been able to test it further but with the following you might be able to get the app/ serverclass relation:
check the fields eai:acl.app and title for the relation
This shows the serverclasses per app but i not sure if it can be used on any splunk instance other than the deployment server
| rest https://localhost:8089/services/deployment/server/applications | table title, serverclasses
well, i would like to be able to know in indexes, what are the sourcetypes and who put data in these sourcetypes(by servevclasses).
by doing that i can control my serverclasses are working and up to date with what i want
i got that seach from splunk answer :
| eventcount summarize=false index=* index=_* | dedup index | fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
| fields index sourcetype
wich list index | sourcetype
so now i need to know who puts data in a sourcetype..
From what I know the sourcetype is the path from which the data is taken, I mean if splunk is taking the data from xyz.logs then source type is the path of this log file.
So to answer the question of who puts the data in source type: it is the server or the application creating the logs puts the data in the source type.
I guess I am answering what you are asking, please let me know if I am going out of the track.
ok but you missunderstand me, the application creates logs it is not responsible for putting it in splunk.
it is the sourcetype and the deployed splunk application wich retrieve the application's logs and put it in a particuliar sourcetype .