Splunk Index and Source Types

Splunk indexes and source types are determined based on what method is used for data collection. You can either choose the existing installation of the Splunk Add-on for Windows and Unix and Linux or the Centrify Add-on for Splunk.

Data Collection Using the Splunk Add-on for Windows and Unix and Linux

In this scenario, data is indexed to wineventlog, and the OS indexes and source type is either the WinEventLog:Application(Windows) or the syslog (Unix). You must add these indexes to the default searchable indexes by going to:

Settings > Access Controls > Roles > (Click on a particular role) > Indexes Searched by default

Data Collection Using Centrify Add-on for Splunk

In this case, data is indexed to the main index and the source type is either WinEventLog:Application(Windows) or syslog (Unix). Centrify uses the same source types as the Splunk Add-on for Windows and Unix and Linux so that field extractions can be performed regardless of the data collection method that you choose.

This method also prevents your data from being replicated to multiple indexes regardless of the data collection method used, and ensures that the Centrify data is extracted correctly in all scenarios.