So I'm trying to come up with a solution where all UFs and HFs add new fields to all indexed data for
env_class = the type of server the logs are from ie mailserver, app_server, webserver
env_type = dev, test or prod.
I can do this with an inputs.conf on the forwarder that looks like this
# Ref: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
# Add default indexed time field for this type of host
# These fields will be added to all events coming from this host. See README.TXT or fields.conf for how to make these searchable from search head. All varaibles must be on the same line seperated by space
# Note if this config is on an intermediate Heavy Forwarder they will also be applied to all events passing through that forwarder (even cooked data)
# Untested but might be required.
# _meta=env_class::workstation env_type::prod
All the hosts are dynamically created and destroyed with random hostnames hence the need for these additional fields to be added all events coming from each host. So for dashboards monitoring say perfmon the end user can quickly drill down to all the prod webservers.
Now all these additional indexed fields must be all contained in the one _meta line in a config. Which brings me to my dilemma.
I'd like some control over this from the deployment server with say the following server classes with associated apps.
Dev Environment App - Sets the env_type=dev for all hosts with *-dev-* in the hostname
Prod Environment App - Sets the env_type=prod for all hosts with *-prod-* in the hostname
Webserver Class App - Sets the env_class=webserver
Mailserver Class App - Sets the env_class=mailserver
The problem is that the Environment and Class app will override the setting of _meta and only one will get used in the final setup.
Because each app uses _meta only the cfg_set_env_class_webserver will apply the _meta since it's wins the precedence war with it's app name. So only env_class will be set and env_type will be empty.