topic Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder? in Getting Data In

Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

pj — Mon, 28 Sep 2020 20:07:44 GMT

I sometimes use the _meta capability of inputs.conf to add a meta field to the data when it makes sense to do so. For example, if you have some intermediary forwarders, it can be useful to add a host_forwarder field to understand the originating host and also the host of the forwarder that the data flowed through.

Typically you can add the meta field to the [default] stanza of inputs.conf under system local as follows:

[default] 
host = myHostName
_meta = host_forwarder::myHostName

This works pretty well and basically inserts a host_forwarder field for all events flowing through the forwarder. However, I recently implemented this on a Windows UF and also decided to collect the local Windows events from the forwarder in question, but noticed that this seems to work for all inputs other than WinEventLog inputs. When I btool it up and check the WinEventLog input - the _meta is there, but it is not respected and the field does not appear in the indexed data in Splunk. It seems to only affect Windows event inputs - all other input stanzas are fine. Possible bug or is this by design? Using a 6.2.3 UF on Windows 2012.

Re: Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

adam_reber — Thu, 22 Dec 2016 14:56:07 GMT

I have been having this issue as well, and I figured out what appears to be a workaround. Rather than putting _meta in the [default] stanza, you have to put it under each [WinEventLog:*] stanza. This probably throws off some use cases, and hopefully this can be fixed at some point.

Re: Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

matthaios — Sat, 13 Apr 2019 04:49:32 GMT

I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.

https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Specify_global_settings_for_Windows_Event_Log_inputs

You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

Re: Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

pj — Sat, 13 Apr 2019 15:14:32 GMT

Good find. Its a shame Splunk couldnt just use [default] like everything else and instead needed to create a specific [WinEventLog] stanza to deal with global elements related to windows event log.

Re: Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

lim2 — Fri, 13 Jan 2023 13:37:54 GMT

Hi everyone, My company also has this [default]\n _meta requirement for the Splunk_TA_windows input stanzas. Since this has been a requirement for a few years now and not much attention, we been asked by Splunk support to upvote the https://ideas.splunk.com/ideas/APPSID-I-678 so that Splunk TA developers could prioritize this feature request.
Bests.