Be aware that in 6.4 there are two different HEC endpoints you can write to.
The /services/collector endpoint does not pass events through the event processing pipeline. This means index-time processing of sourcetypes won't work here. So you actually don't want to use _json as the sourcetype, because the _json sourcetype extracts json events at index time. You'll notice in the _json definition that INDEXED_EXTRACTIONS = json and KV_MODE = none. What that does is tell Splunk to create your json fields at index time, and skip auto-extracting the fields at search time. Otherwise, you'd end up with two entries for each field (Splunk would show the index-time and the search-time field).
The new /services/collector/raw endpoint, however, will pass data through the event processing pipeline. So you can post json data as _json and use index-time field extractions, transforms, and so on. Hopefully this difference makes sense.
http://dev.splunk.com/view/event-collector/SP-CAAAE8Y
As far as whether to use one sourcetype or multiple, or a new field, are you putting something in the sourcetype field just because you feel like you need to utilize it? If so, you may want to wait on using that field until you've used Splunk for awhile to see how best to use it for your data. You'll find differing opinions, but I think the sourcetype field should be used to describe the format of your data. Remember you can also use the source field to include information that might better describe where the data originated from (ie, the tablename). And you can create props/extractions that apply to sources as well.
... View more