I have hunted high and low for documentation of appropriate sourcetypes.conf and props.conf stanzas for the Nagios event logs, without installing the SplunkForNagios app. I don't want all the fancy stuff, just to index the event-logs for incident investigation. I have created the index, and now I want to do a one-shot import of an existing log (which I know how to do), but I want the indexing and extraction properties right before I do.
Trouble is, when it comes to understanding props, sourcetypes, and transforms I am a complete novice. My only Splunk experience lies in searches, basic server installation, and log/storage management. Field extraction I can do interactively, after the fact, once I have some sample logs indexed.
I am puzzled because I downloaded and extracted the SplunkForNagios app to dissect it, and there is no indexes.conf, no inputs.conf and no sourcetypes.conf. That really threw me. How the heck is it to determine where to get the logs from or to?
I'm not familiar with the Nagios app, but often app developers will leave the index and input creation up to the user rather than assume to know what will work best for each environment. One customer may have all of their data in the main index. Another may split data into multiple indexes.
As such, they don't specify indexes within saved searches or eventtypes. This makes them less efficient, but more likely to match a greater number of users.
As for sourcetypes, what to name sourcetypes is usually subjective. If you aren't using the app, name it what you will, as long as the corresponding props.conf file references the correct name.
Hope that helps!
Resurrecting my interest in this topic, my concern is not how to name things which is (as you say) entirely subjective and influenced by whatever naming hierarchy one is used to. My interest is in the substance of the type declarations to gain the maximum benefit from having the logs indexed to begin with.