I believe that just searching on source/sourcetype is fine, as long as the defaults are set correctly for your environment. I have worked in an environment where the index field was overloaded to search so that you could see similar data, but your defaults controlled what you saw just by searching on the source/sourcetype.
You have to make sure that the roles your splunk user inherits does not have indexes that are selected by default that you do not want to have your splunk user have access to by default.
... View more