Greetings -- Long time user, first-time SysAdmin (of SPLUNK) I'm sure this is documented, but can someone point me to the specific info I need, or supply some tips? I can read about all this just fine, if someone can point me at the specific docs needed... 1.) I have three different types of Syslog coming in; Firewall, Windows, and Linux. I guess this means I need three different SourceTypes, so a different set of Interesting Fields is pulled out for each? How do I create 3 custom SourceTypes each with its own set of Interesting Fields...? 2.) I need to store the raw syslog data for my Firewalls, Windows & Linux machines on the SPLUNK server, so it can be viewed by auditors. How do I configure that? --How can I configure aging / archiving of these syslog entries? (three different directory paths for three different types of syslog) 3.) I currently am using one SourceType, and I have a single firewall using it. I'm displaying way more Interesting Fields than what I need. For instance, I'm displaying "hours", and all my entries have 24 values (zero through 23) ; this is useless. How can I get SPLUNK to stop spinning CPU cycles, indexing data on useless fields? There's a good chance I'll be forced to do this on a Virtual Machine, so I only want SPLUNK spending I/O on fields that I say are interesting... THanks! ... View more