I have one file with multiple JSON types in it.
What is the best way to get this data into Splunk.
I dont think i can use a universal forwarder as i cant specify the sourcetype as i is multiple.
Someone said use a heavy forward and do the work of splitting the data into different source types before i send it.
Is this the correct approach?
If the source can be edited to write to different files per sourcetype that is most ideal.
Another option that doesn't involve the universal forwarder is ingest the file using python and send to Splunk HTTP Event collector. A bit more complex but more flexible than doing regex routing at indexers.
@robertlynch2020, your indexer can also do this job, but better approach like you have said is to use heavy forward to set different sourcetype based on different JSON from the same source through props.conf and transforms.conf for sourcetype override.
Refer to Splunk Documentation : http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign_...
And Splunk Blog: https://www.splunk.com/blog/2010/02/11/sourcetypes-gone-wild.html