I am adding some CMK (checkmk) data to splunk using a custom deployment app. I will be creating a new index. I have some specific questions about the sourcetype. 1. How do I choose the sourcetype to put in the inputs.conf file? Are there guidelines or documentation that can help me choose the correct sourcetype or define a new one. 2. I read some documentation that suggested that splunk will choose the most appropriate sourcetype for you. Is this correct? If so, what should I put in the inputs.conf file? 3. If I simply make up a new sourcetype and put it in the inputs.conf, does splunk create it for me? Is doing this not a good idea? Here is an example of the checkmk data: [1614356357] SERVICE ALERT: ServerNameXXX;Memory;OK;HARD;1;OK - RAM used: 10.76 GB of 15.67 GB, Swap used: 1.96 GB of 4 GB, Total virtual memory used: 12.72 GB of 19.67 GB (64.7%)
... View more