sourcetypes

jonathan_lam · ‎03-15-2012

We have forwarders sending data to our dedicated indexers. Do we need to set up custom sourcetypes on the forwarders or the indexers?

Please point me to documentation if this exists. Thank you!

jbsplunk · ‎03-15-2012

It depends on the kind of forwarder and the type of configuration. You can set sourcetype in inputs.conf and it would be respected for the life of an event with no problem.

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

If setting it in an input isn't possible, because maybe you want multiple sourcetypes from the same input, then its another story. Universal and Lightweight forwarders do not do parsing, so if you're using those, you'd put your changes on the Indexer. If your using a heavy forwarder, you can put your changes there as data would be parsed by the time it left the output queue.

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

sourcetypes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

sourcetypes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future