I have a question regarding best practices for sourcetypes and how pre-trained sourcetypes work.
I had some java logs which a member of my group was struggling with, and I suggested to him that he just use the "log4j" sourcetype. Once that change was made, it worked fine. I've been requiring that certain parameters be used in our sourcetypes, based upon Splunk recommendations and the Splunk "Getting Data In, Correctly" document and .conf presentation. In that doc, they recommend:
We have been using that in all of our .props settings. So far, so good. Since we decided to use the pre-trained log4j, I decided to see what the props settings were for that sourcetype, but executing " ./splunk btool props list log4j". Here's the output:
The time format is not fixed in log4j so spunk can not assume one format. If your company has standardised on a date format, it would be good practice to add TIME_FORMAT to save splunk having to test all possibilities.
In general It is good practice to use or clone splunk pre trained source types and as always the more you tell splunk, the less it has to "guess" which reduces indexing load.