Getting Data In

Are "_meta"-entries still supported in inputs.conf?


I've configured inputs.conf on a universal forwarder with


_meta = testkey::testvalue


_meta = testkey::testvalue


_meta = testkey::anothervalue

and added an entry to fields.conf on the indexer:



This works perfectly fine (I can use the testkey field in searches) , but the forwarder complains of a "possible typo", and I can find no reference to the "_meta" notation in the current documentation. Is this an "undocumented feature" that may disappear? Is there an alternative way to mark events for a monitored file with no other dependencies or side effects? (I'd like to keep the standard use of the source, sourcetype, and host fields, independent of the "categorization" that I implement with _meta).

Splunk Employee
Splunk Employee

The procedure in inputs.conf still works.

remarks :
- the "_meta" field was triggering a typo warning because it was not in the inputs.spec, this is fixed now.
- for modular inputs (wineventlog by example), for splunk 6.* and 6.1., the _meta fields were not passed to the indexes. This is fixed since 6.2.
- in order to make the meta fields searchable. they have to be added to the fields.conf on the search-head.

Splunk Employee
Splunk Employee

I believe that the documented procedure to write to the meta file using a transforms to do so is here:

While it may be undocumented to use the _meta field in the inputs.conf file on a forwarder, this is currently still a valid method for adding metadata to your fields. Take a look at the following answer post: as it mentions this method as well.

So you may want to move the _meta field from the forwarders inputs.conf file to the transforms.conf file on the indexer. This might be easier to maintain in the future as well.