We have a forwarder/receiver topology configured here. Each of the 200 or so servers have a light forwarder their info to the main indexer/receiver.
My challenge is that many of these machines are generating a custom source type.
We are currently defining the custom source types in a .conf file at the forwarding machine. unfortunately, this creates somewhat of a management problem given the number of machines.
is there way to define custom source types in .conf at the Receiver/Indexer?
Are you using Splunk's deployment server to manage forwarder configurations? That should be the best way to solve the issue.
Otherwise, you could use props/transforms stanzas to override the sourcetype assignment at runtime. You could run a regex on the "source" field and assign a predefined sourcetype if the event matches the regex. You can find lots of details here: http://www.splunk.com/base/Documentation/latest/Admin/Advancedsourcetypeoverrides