According to the documentation for Splunk version 3.x there is the ability to alias a sourcetype, however it does not appear to exist under version 4.x.
I find myself in the position where I have many applications all logging via log4j and would like to be able to filter my searches on application type.
I was hoping to be able to setup the forwarders via the CLI, adding the monitor statements with an explicit -sourcetype.
The only other option I can see is to setup TAGs on each of the source statements based on filename (Can tags be managed automatically for certain sources, perhaps based on a regex?)
Any suggestions or clarifications would be greatly appreciated.
P.S. In case it was not immediately obvious, yes I am very new to splunk.