Splunk indexes and source types are determined based on what method is used for data collection. You can either choose the existing installation of the Splunk Add-on for Windows and Unix and Linux or the Centrify Add-on for Splunk.
In this scenario, data is indexed to
wineventlog, and the OS indexes and source type is either the
WinEventLog:Application(Windows) or the
syslog (Unix). You must add these indexes to the default searchable indexes by going to:
Settings > Access Controls > Roles > (Click on a particular role) > Indexes Searched by default
In this case, data is indexed to the main index and the source type is either
syslog (Unix). Centrify uses the same source types as the Splunk Add-on for Windows and Unix and Linux so that field extractions can be performed regardless of the data collection method that you choose.
This method also prevents your data from being replicated to multiple indexes regardless of the data collection method used, and ensures that the Centrify data is extracted correctly in all scenarios.