Hi bbyttn,
You can ingest many different types of logs on a single indexer, and the beauty of Splunk is that you don't need to define your fields ahead of time. Only a few basic fields such as source, sourcetype, host, and time are captured at indexed time, and all other fields can be extracted on-the-fly at search-time.
To understand index time vs. search time, please refer to documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Indextimeversussearchtime
This section gives you an overview of how data moves through Splunk deployments - the data pipeline:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Deploy/Datapipeline
The Search Tutorial may be a good way to get started with using Splunk.
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchTutorial/WelcometotheSearchTutorial
Hope this helps. Thanks!
Hunter
... View more