I have a syslog input that has its field values in the following format and splunk isn't picking it up by default. How could I get splunk to correctly sourcetype this type:
"class":"sessionevent", "hostname":"bob"
You can define the sourcetype of your events in the appropriate inputs.conf file for the syslog monitoring stanza you have setup with something similar to the following.
[tcp://syslog.corp.company.net:514]
sourcetype = syslog
Here is a link to the Splunk documentation for further information:
What is the data coming from? You could use the interactive field extractor in the UI to get Splunk to generate the regex for you.