I am developing an app in Splunk 7.3.
My app uses a proprietary sourcetype. In case it's significant for this question, the sourcetype is generated by an application (not a Splunk app), also proprietary, on another platform.
What is the best-practice choice of category
in props.conf
for such a sourcetype?
For example, Custom or Application?
Initially, I have chosen Application, because it seems like the best fit from at least two perspectives: the source type is generated by an application, and it is used by a specific Splunk app (the one I'm developing).
Or, attempting to think of possible counterarguments: should Application be reserved for "built-in" sourcetypes defined out-of-the-box by Splunk?
A related (sub-)question: what is the best practice for coining new categories? For example, a category for the brand of the proprietary application that generates this sourcetype?
Hi Graham_Hannington,
Category in props.conf for sourcetypes is a classification used only to reach sourcetypes when you use the guided procedure, but it hasn't any other role, you can also don't use category and your sourcetype continues to work properly!
So, use the category you prefer.
Ciao.
Giuseppe