From the HTTP Event Collector setting page:
Source type
The source type is one of the default fields that Splunk assigns to all incoming data. It tells Splunk what kind of data you've got, so that Splunk can format the data intelligently during indexing. **And it's a way to categorize your data, so that you can search it easily. **
We are inputting key/value pairs via HTTP Event Collector. We are currently using sourcetype as a way to categorize the type of data associated with the key/value pairs. We could also add a key with the type of data.
Is using sourcetype to categorize data a good practice? Or should we not set the sourcetype for our HTTP Events and set a key value?
↧