Source Types, Hosts & Sources

Every event in Splunk has three default metadata fields: host (the machine it came from), source (the file path or input), and sourcetype (the data format).

Sourcetype is the most important — it tells Splunk how to parse the data. Splunk auto-detects many sourcetypes, but admins often need to specify or create custom ones.

You set metadata in inputs.conf (index-time) or override it in props.conf and transforms.conf.