Oh, heya Burch. I was referring to this post by "FrankVl". >> It's just a label used to categorize data that has similar structure and content.
I liken it to a map. It defines the steps needed to figure out what kind of creature is behind the fourth comma. That number behind the seventh colon, that's obviously packed size. This approach has a bonus in that let it lets me sing the map song from Dora.
Ha ha. That sounds a solid way to explain what the sourcetype does. I imagine it might still get questions around why sourcetypes are used rather than just the sources. Which then opens up landing the concept perfectly.
Your explanation sounds very much like the description of objects in object oriented programming. The sourcetype allows you to group data in similar object types. This makes it easier to write configurations such as field extractions, tagging, etc on each sourcetype. Also, when you add new data, if it already fits one of the molds that you already have, you don't need to rewrite the configs all over again.
Great point and I think this is a great nuance of how to cater an explanation towards the right audience. While a very tech-agnostic suggestion might work for business users, an object oriented one will resonate with techies! Kuddos!
I think of indexes like bookshelves and sources like content. In that analogy, sourcetypes are like types of media. You could read an article in a newspaper or magazine, but that article could also be excepted in a book. A lot of classic books were once serialized in magazines. You can even listen to a book or magazine article on a service like audible.
Different audio media like cassettes and CDs can also contain the same content (source), and the medium determines how you interact with that content. If the media content is on a CD, you can easily skip back and forth on tracks, but not on a cassette.
All of these media (sourcetypes) determine how you get your content (source). You have to use different methods and have certain capabilities to handle each type of medium. Print books are no good to those without sight, and audio is useless to those without hearing. So it's important to choose the right medium (sourcetype) in order to get the content in a way that's useful.
Maybe in this analogy it's the human that's the indexer? I guess that's where it breaks down.
Ha ha. I love the humility that you end it on.
It's an interesting concept. I honestly have had to read it a few times to follow. I'm curious if it's too involved OR am I just getting to close to end of day on a Friday.
Anyway, thanks for the contribution and the concept!
As the child of a librarian, this analogy makes great sense to me! The librarian, who fills out the catalog entry for a given item, is the indexer. This analogy also accounts for cross-references. The patron is the search head.
i like to keep things simple so everyone understands what im intending to explain
Consider splunk as a database
Index = database name
sourcetype = tables
_time = when these events where recorded in splunk
host, source , sourcetype, _time are the key identifiers to create various views on the database.