Total noob here. I want to create a source type that is an aggregate of several source types. What I want to eventually end up with is the ability to easily apply several REPORT rules to a set of source types. Below is a mockup of roughly what I want functionality-wise in my props.conf:
[sourcetype1 sourcetype2 sourcetype3 sourcetype4]
REPORT-AAAAA = AAAAA
REPORT-BBBBB = BBBBB
REPORT-CCCCC = CCCCC
REPORT-DDDDD = DDDDD
Is something along these lines possible to do in Splunk? Thanks for any help
... View more