@oylkm then you might need to define line breaking and timestamp extraction. If there is a addon for F5 in splunkbase it might be already having sourcetype definitions that you are after.

The data inputs is actually defined in inputs.conf to monitor a location, attach to an index/sourcetype and nothing is defined in the current props.conf. Will it still work if I create a new props.conf and define a separate settings?

@oylkm inputs always on host where data present.  Splunk by default ships with few generic sourcetypes which one you are after?

default generic sourcetypes are usually present under system/default dir in props.conf, custom sourcetypes Splunk recommends to put it under system/local or app_name/local directory and if your splunk environment is distributed then you have to put them under HF, if  there is no HF put them on indexers. It does work with new sourcetypes (define your own name) it just to be deployed under right place and having correct line_breaking and timestamp extractions.

Since you are going to use settings of default sourcetypes, just changing the name it should work fine. You can read more here - https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Data/Whysourcetypesmatter

---

An upvote would be appreciated and Accept solution if it helps!

So this is what I've come up with on the base sourcetype. 

[apm:apm:syslog]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = true
TZ = Newzealand/Auckland

Are you suggesting I create another props.conf file under the same app? If so how do I make it reference the same index as well. I want to call the new sourcetype apm:apm:syslog:ltm.