If you have not defined a sourcetype in an appropriate props.conf (and associated transforms.conf), Splunk will try to determine the sourcetype based on heuristics
Those heuristics are not generally very accurate on custom data sources
Instead of trying to "programatically set the sourcetype to be the namespace from where the logs were generated", add a field whose contents indicate the namespace from which the logs are generated (eg "namespace")
It’s much simpler, extends your logging more efficiently, and doesn’t require the definition of scores or hundreds or thousands of individual sourcetypes
from User warren – Stack Overflow https://stackoverflow.com/questions/50179871/fluentd-sending-to-splunk-hec-want-to-set-sourcetype-to-the-namespace/73128253#73128253
via IFTTT