It is possible to "tag" all data coming into a par...

twinspop · ‎07-22-2019

I have about 50 different tokens. I want data from one particular token to get some metadata added to it. Unfortunately, it doesn't appear that the _meta directive works for http in inputs.conf. Is it possible to replicate this functionality some how?

hrawat · ‎11-04-2024

Now you can tag HEC events for any HEC end point ( including s2s) without paying for third party software.

https://community.splunk.com/t5/Getting-Data-In/Splunk-HTTP-Event-Collector-support-for-custom-metad...

isoutamo · ‎05-17-2024

Update for old post as splunk has fixed this.
Currently (at lest 9.1.3+) you can use _meta also in HEC's inputs.conf.

PickleRick · ‎05-17-2024

Have you tested if it works for both /raw and /event endpoints? Just asking because I haven't used it on HEC so I don't know 🙂

isoutamo · ‎05-31-2024

I test it at least for /raw endpoint.

ameizeraitis · ‎08-16-2022

You can use method i have implemented with DS distributed bash script automation, which does following with every single HEC input on each server in hfw pool:
First, append existing http stanzas in inputs.conf with "fake" output group, like

[http://hec_input_1]

outputgroup = out01

Define those fake outputs in outputs conf like this:

[tcpgroup:out01]

server=127.0.0.1:9001

Now we need to set some listener on internal loop input dedicated port that "tags" the data:

[splunktcp://9001]

_meta = HecName::192.168.0.1:hec_input_1

Repeat all this for for all your hec inputs, make each of it have it's own outputgroup and tcpsplunk port listener, restart splunk and enjoy:

|tstats count where index=hec_index by HecName

MuS · ‎07-22-2019

The inputs name will translate into a source::http:InputNameHere which in turn should be useable in props.conf
But I must admit, I have not yet tried it 😉

cheers, MuS

twinspop · ‎07-22-2019

Well shoot. If the sending application sets source, that overrides the default above, which means the transform doesn't fire. So still back to the old problem: How to guarantee a transform gets applied to every single event that came through a particular token's input def?

MuS · ‎07-22-2019

In this case, did someone say cough cribl cough 😉

twinspop · ‎07-22-2019

We're testing it, but not ready to roll into production. Yet. 🙂 Very promising!

twinspop · ‎07-22-2019

Perfect! I had no idea that was a thing. I feel like I gained a new superpower.

MuS · ‎07-22-2019

Glad I could help - Enjoy the new superpower 🙂

cheers, MuS

MuS · ‎07-22-2019

Hi twinspop,

you can always use the good old props.conf / transforms.conf approach and add a meta field this way. Here is an example transforms.conf I use to add the hostname of the parsing HWF to events:

[add-relay-info-to-meta]
FORMAT = splunk_hwf::HostNameHere
REGEX = .
WRITE_META = true

Yes, it is a static value but I assume you will not change your HEC input too often 😉

Hope this helps ...

cheers, MuS

twinspop · ‎07-22-2019

Yeah, a transform is where i was headed, but I don't see any foolproof way to identify only those those logs, and ALL those logs, that originate on 1 particular token. The token value and the input name are not things I can key off of in props as far as i know.

It is possible to "tag" all data coming into a particular HEC token?

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Are you a member of the Splunk Community?

It is possible to "tag" all data coming into a particular HEC token?

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern