The Splunk forwarder does not categorize any data. It simply collects the data and passes it on to the indexer along with basic metadata, which includes the current time & time zone, the host name, the sourcetype and the destination index. Of course the forwarder will be configured differently for different types of servers, as the actual log files and collection mechanisms vary. But no "category" is created or passed from the forwarder, at least not in terms of defining "errors", "warnings", etc. for events. Events are categorized in Splunk at search time, not on the forwarder; doing it this way offers much more flexibility. Tags and eventtypes are used to categorize data, and field extractions are usually part of the categorization process. These are all called "knowledge objects" in Splunk and they are often defined based on the sourcetype of the data. You can create your own sourcetypes and knowledge objects, but many are already defined. A few are defined in Splunk itself, but most are defined in apps. You can download apps from SplunkBase at http://splunkbase.splunk.com; over a thousand apps exist and almost all of them are free. Just a few examples: the Splunk Add-on for Cisco ASA and the Palo Alto Networks Add-on However, every vendor and app is free to set up and define their log files (and knowledge objects) in any way they like. To make it easier to integrate disparate data sources, Splunk has defined the Common Information Model (CIM). You can read the CIM Manual and even download the free CIM app. Many of the apps on SplunkBase follow the CIM. What is an "error" vs. "warning" certainly depends on both the data source and your environment. I suggest that you learn more about the apps and the CIM as a starting point. I also suggest that you use tags and eventtypes to categorize your data in a customized way. ... View more