I am new to Splunk and i have a quite a few projects in my organization. I know that an index can have more than one source type, which can be done by using roles and assigning to users. But, I'm not sure what would be the best way to use index and source type for my projects in Splunk.
Here are some ideas that i have for using index and source type. The first idea would be assigning the project name as index and products such as Windows and Linux for source type. For example: index= Project A, sourcetype=Windows, sourcetype=linux. Another idea would be assigning the products as index and project name for source type. For example Index=Windows, sourcetype=Project A, sourcetype=B and sourcetype=C.
Thanks for your advice.
... View more