Remove references to automatic source type detection and add examples of sourceType use to docs

marpears · marpears · commit d6f232db7997 · 2026-05-05T10:59:44.000+01:00
diff --git a/api/observability/v1/output_types.go b/api/observability/v1/output_types.go
@@ -1332,7 +1332,7 @@ type Splunk struct {
 	Source string `json:"source,omitempty"`
 
 	// SourceType can be used to specify a pretrained or custom sourcetype in Splunk.
-	// If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+	// If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
 	// Details in: docs/features/logforwarding/outputs/splunk-forwarding.adoc
 	//
 	// Examples:
diff --git a/bundle/manifests/cluster-logging.clusterserviceversion.yaml b/bundle/manifests/cluster-logging.clusterserviceversion.yaml
@@ -1944,7 +1944,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:text
       - description: |-
           SourceType can be used to specify a pretrained or custom sourcetype in Splunk.
-          If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+          If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
           Details in: docs/features/logforwarding/outputs/splunk-forwarding.adoc
 
           Examples:
diff --git a/bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml b/bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml
@@ -3894,7 +3894,7 @@ spec:
                         sourceType:
                           description: |-
                             SourceType can be used to specify a pretrained or custom sourcetype in Splunk.
-                            If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+                            If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
                             Details in: docs/features/logforwarding/outputs/splunk-forwarding.adoc
 
                             Examples:
diff --git a/config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml b/config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml
@@ -3894,7 +3894,7 @@ spec:
                         sourceType:
                           description: |-
                             SourceType can be used to specify a pretrained or custom sourcetype in Splunk.
-                            If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+                            If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
                             Details in: docs/features/logforwarding/outputs/splunk-forwarding.adoc
 
                             Examples:
diff --git a/config/manifests/bases/cluster-logging.clusterserviceversion.yaml b/config/manifests/bases/cluster-logging.clusterserviceversion.yaml
@@ -1867,7 +1867,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:text
       - description: |-
           SourceType can be used to specify a pretrained or custom sourcetype in Splunk.
-          If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+          If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
           Details in: docs/features/logforwarding/outputs/splunk-forwarding.adoc
 
           Examples:
diff --git a/docs/features/logforwarding/outputs/splunk-forwarding.adoc b/docs/features/logforwarding/outputs/splunk-forwarding.adoc
@@ -65,8 +65,90 @@ To ensure consistency and meaningful categorization, the `source` value can be d
 following Cluster Log Forwarder's conventions.
 
 === `sourceType`
-In Splunk, the `sourceType` field is used to format and categorise data. Splunk is bundled with many pretrained types and has the capability of defining custom types. Use this field to reference a source type defined in Splunk.
-If not specified, `sourceType` will be "_json" or be determined automatically when using `payloadKey` based on the type of the final event payload.
+In Splunk, the source type is used to define how incoming data should be parsed, interpreted, and categorised. Splunk includes many built-in source types and also allows for custom source types to be defined. The `sourceType` field should reference a source type configured in Splunk.
+
+If not specified, the Splunk source type used is `_json` but may be overridden when using `payloadKey`, depending on the structure of the final event payload.
+
+An example of a use case for this field is where a custom Splunk source type has been created to interpret particular log message content where key/value pairs are extracted and transformed into Splunk fields for use with dashboards.
+
+Here is an example of a CLF where log events for an app are forwarded to a Splunk output sink with a user-defined source type :
+
+```
+spec:
+  inputs:
+    - application:
+        includes:
+          - container: myapp
+            namespace: my-app-*
+      name: myapp
+      type: application
+  outputs:
+    - name: splunk-myapp
+      splunk:
+        authentication:
+          token:
+            key: hecToken
+            secretName: splunk-myapp
+        sourceType: 'myapp:sourcetype'
+        url: 'https://splunk.customer.com:8088'
+      type: splunk
+  pipelines:
+    - name: myapp
+      inputRefs:
+        - myapp
+      outputRefs:
+        - splunk-myapp
+```
+
+If a source type needs to be referenced for a particular application's log events, but is not appropriate for others, be sure to structure the ClusterLogFowarder so that it does not misrepresent the format of log events by using a single Splunk output sink.
+
+Here is an example of a CLF where cluster-wide general app log events are forwarded to a Splunk output sink using the default source type of `_json`, and log events for an app are forwarded to a different Splunk output sink with a user-defined source type :
+
+```
+spec:
+  inputs:
+    - name: application-general
+      application:
+        excludes:
+          - container: myapp
+            namespace: my-app-*
+      type: application
+    - name: application-myapp
+      application:
+        includes:
+          - container: myapp
+            namespace: my-app-*
+      type: application
+  outputs:
+    - name: splunk-application-general
+      splunk:
+        authentication:
+          token:
+            key: hecToken
+            secretName: splunk-application-general
+        url: 'https://splunk.customer.com:8088'
+      type: splunk
+    - name: splunk-application-myapp
+      splunk:
+        authentication:
+          token:
+            key: hecToken
+            secretName: splunk-application-myapp
+        sourceType: 'myapp:sourcetype'
+        url: 'https://splunk.customer.com:8088'
+      type: splunk
+  pipelines:
+    - name: splunk-application-general
+      inputRefs:
+        - application-general
+      outputRefs:
+        - splunk-application-general
+    - name: splunk-application-myapp
+      inputRefs:
+        - application-myapp
+      outputRefs:
+        - splunk-application-myapp
+```
 
 === `indexedFields`
 
@@ -196,7 +278,7 @@ Below the table with default value depends on log_type and log_source will be us
 |`index`|||| not configured by default
 |`source`|SYSLOG_IDENTIFIER|ns_name_podName_containerName|.log_source|
 |`indexedFields`|||| not configured by default
-|`sourceType`|`_json` or `generic_single_line`|`_json` or `generic_single_line`|`_json` or `generic_single_line`| Can be explicitly defined, otherwise will be determined automatically based on the type of the final event payload
+|`sourceType`|`_json` or `generic_single_line`|`_json` or `generic_single_line`|`_json` or `generic_single_line`| Can be explicitly defined, otherwise will be determined based on the type of the final event payload
 |`host`|`.hostname`|`.hostname`|`.hostname`|not configurable
 |`payloadKey`|||| not configured by default
 
