I'm trying to implement Splunk on a really big project.
My team and I already used a LogLogic solution and want to go through a Splunk's one.
The problem is that all the logs of this network (decades Active Directory areas) are currently relayed to the LogLogic SIEM and then to my Splunk Indexer over TCP.
That's means that I can configure only one TCP input on my indexer.
Question is : How can I tell Splunk to define new sourcetypes based on differents events indexed such "This is a Windows Log" or "That is an Arkoon log" etc ... ?
Should I use a Splunk Forwarder to parse data upstream or anything else ?