- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well
It seems that nobody knowns the answer, so as Splunk is AWESOME I will give for granted that it is able to parse unlimited number of distinct sourcetypes.
PS: I want my self-learner badge!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well
It seems that nobody knowns the answer, so as Splunk is AWESOME I will give for granted that it is able to parse unlimited number of distinct sourcetypes.
PS: I want my self-learner badge!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't answer what the hard limit is -- probably needs to be tested and confirmed by Splunk (or some unlucky customer). However there are performance issues that can result from too many source types. I've experienced them after finding a source configured with auto-sourcetyping which basically created a new sourcetype every time the log rolled. It caused Splunk performance to go down the crapper.
