Sure, have used it to deploy few dozens of data sources (all forwarded by Splunk).
It's big mess at the moment, as auto-learn is very basic, it doesn't remove duplicates nor existing data sources, so going through the list is bigger pain every time.
Depending on what version you are on, we ran in to a bug where we had to get a small piece of code and run it on each receiver to get Auto-Learn to work. I don't recall the specifics behind why it stopped working, but if there is a bug, we usually find it.
Like aszotek mentioned, Auto-Learn can sometimes return unexpected results, or provide false information about what a data source type is. It can help in identifying data sources that are sending you logs, if your LAN/WAN and Server teams (Unix/Linux) already know where they need to send logs, but fail to let you know they brought a new device online.
From my closed SR -
Engineer found a bug. If there are any data sources that were disabled when they upgraded, the system would not create a certain file for the disabled datasources, because they are disabled.
However, the Autolearn function is looking for that file, and since the disabled data sources do not have it, the Autolearn function stops running because it can not find the file.
I have a syslog-ng which relays the logs of our equipments. I setup the syslog-ng and then activate 'AutoLearn'.
I can see the most of the equipments.
- How can I add the equipments not retrived ?
- I 'Remove' an equipment which was detected by 'AutoLearn', and I don't see it. Is it possible to get back it ?
- How can I get the real IP@ of the host and not the syslog-ng IP@ as SourceIP ?