What is the default sourceType?

[VictorioBerra]

I am a little new with Splunk, I have asked our admin to generate a HEC token for use in my app, and he asked what Source Type the HEC Token needed to be configured for. Does this Sink have a default that I can give my admin? Will "JSON" work for now?

This is a default ASPNET Core 3.1 app.

Thanks

[merbla]

Hi @VictorioBerra,

Sorry I have been away on holidays.

Sourcetype can be set in a variety of methods.

• During configuration
• At the event level using a custom field (sourcetype)
• or also in the creation of the HEC token (within Splunk itself)

As for 3.1 Core, I personally have not used the sink with that framework. I am in the process of a PR to update to the latest framework.

Cheers

[VictorioBerra]

Your sink seems to work just fine for me under core 3.1. thanks for replying. I set the source type to JSON during HEC creation. I think it was a mandatory selection.

[VictorioBerra]

For any other Splunk noobs like me that find this, I found a good post on splunk.com that helped demystify what sourcetypes do https://answers.splunk.com/answers/793405/why-shouldnt-i-use-the-json-or-syslog-sourcetypes.html