Best practice for sourcetype category: Application...

Graham_Hanningt · ‎10-29-2019

I am developing an app in Splunk 7.3.

My app uses a proprietary sourcetype. In case it's significant for this question, the sourcetype is generated by an application (not a Splunk app), also proprietary, on another platform.

What is the best-practice choice of category in props.conf for such a sourcetype?

For example, Custom or Application?

Initially, I have chosen Application, because it seems like the best fit from at least two perspectives: the source type is generated by an application, and it is used by a specific Splunk app (the one I'm developing).

Or, attempting to think of possible counterarguments: should Application be reserved for "built-in" sourcetypes defined out-of-the-box by Splunk?

A related (sub-)question: what is the best practice for coining new categories? For example, a category for the brand of the proprietary application that generates this sourcetype?

gcusello · ‎10-30-2019

Hi Graham_Hannington,
Category in props.conf for sourcetypes is a classification used only to reach sourcetypes when you use the guided procedure, but it hasn't any other role, you can also don't use category and your sourcetype continues to work properly!
So, use the category you prefer.

Ciao.
Giuseppe

Best practice for sourcetype category: Application vs Custom?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...