It is possible to "tag" all data coming into a par...

twinspop · ‎07-22-2019

I have about 50 different tokens. I want data from one particular token to get some metadata added to it. Unfortunately, it doesn't appear that the _meta directive works for http in inputs.conf. Is it possible to replicate this functionality some how?

MuS · ‎07-22-2019

The inputs name will translate into a source::http:InputNameHere which in turn should be useable in props.conf
But I must admit, I have not yet tried it 😉

cheers, MuS

twinspop · ‎07-22-2019

Well shoot. If the sending application sets source, that overrides the default above, which means the transform doesn't fire. So still back to the old problem: How to guarantee a transform gets applied to every single event that came through a particular token's input def?

MuS · ‎07-22-2019

In this case, did someone say cough cribl cough 😉

twinspop · ‎07-22-2019

We're testing it, but not ready to roll into production. Yet. 🙂 Very promising!

twinspop · ‎07-22-2019

Perfect! I had no idea that was a thing. I feel like I gained a new superpower.

MuS · ‎07-22-2019

Glad I could help - Enjoy the new superpower 🙂

cheers, MuS

MuS · ‎07-22-2019

Hi twinspop,

you can always use the good old props.conf / transforms.conf approach and add a meta field this way. Here is an example transforms.conf I use to add the hostname of the parsing HWF to events:

[add-relay-info-to-meta]
FORMAT = splunk_hwf::HostNameHere
REGEX = .
WRITE_META = true

Yes, it is a static value but I assume you will not change your HEC input too often 😉

Hope this helps ...

cheers, MuS

twinspop · ‎07-22-2019

Yeah, a transform is where i was headed, but I don't see any foolproof way to identify only those those logs, and ALL those logs, that originate on 1 particular token. The token value and the input name are not things I can key off of in props as far as i know.

It is possible to "tag" all data coming into a particular HEC token?