The vast majority of events in Splunk come from files. Usually, these events are read from the machine where they are produced and as the logs are written. Very often, the entire input's stanza will look like this:
[monitor:///logs/interesting.log*] sourcetype=interesting
This is often all that is needed. This stanza says:
- Read all logs that match the /logs/interesting.log* pattern, and going forward, watch them for new data
- Name the source type interesting
- Set the source to the name of the file in which the log entry was found
- Default the host to the machine where the logs originated
- Write the events to the default index
These are usually perfectly acceptable defaults. If sourcetype is omitted, Splunk will pick a default source type based on the filename, which you don't want—your source type list will get very messy very fast.