Re: sourcetypes

jonathan_lam · ‎03-15-2012

We have forwarders sending data to our dedicated indexers. Do we need to set up custom sourcetypes on the forwarders or the indexers?

Please point me to documentation if this exists. Thank you!

jbsplunk · ‎03-15-2012

It depends on the kind of forwarder and the type of configuration. You can set sourcetype in inputs.conf and it would be respected for the life of an event with no problem.

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

If setting it in an input isn't possible, because maybe you want multiple sourcetypes from the same input, then its another story. Universal and Lightweight forwarders do not do parsing, so if you're using those, you'd put your changes on the Indexer. If your using a heavy forwarder, you can put your changes there as data would be parsed by the time it left the output queue.

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

sourcetypes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation