I've configured inputs.conf on a universal forwarder with
[monitor:///somefile.log]
_meta = testkey::testvalue
[monitor:///anotherfile.log]
_meta = testkey::testvalue
[monitor:///yetanotherfile.log]
_meta = testkey::anothervalue
and added an entry to fields.conf on the indexer:
[testkey]
INDEXED=true
This works perfectly fine (I can use the testkey field in searches) , but the forwarder complains of a "possible typo", and I can find no reference to the "_meta" notation in the current documentation. Is this an "undocumented feature" that may disappear? Is there an alternative way to mark events for a monitored file with no other dependencies or side effects? (I'd like to keep the standard use of the source, sourcetype, and host fields, independent of the "categorization" that I implement with _meta).
The procedure in inputs.conf still works.
remarks :
- the "_meta" field was triggering a typo warning because it was not in the inputs.spec, this is fixed now.
- for modular inputs (wineventlog by example), for splunk 6.* and 6.1., the _meta fields were not passed to the indexes. This is fixed since 6.2.
- in order to make the meta fields searchable. they have to be added to the fields.conf on the search-head.
-
I believe that the documented procedure to write to the meta file using a transforms to do so is here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
While it may be undocumented to use the _meta field in the inputs.conf file on a forwarder, this is currently still a valid method for adding metadata to your fields. Take a look at the following answer post: http://splunk-base.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forw... as it mentions this method as well.
So you may want to move the _meta field from the forwarders inputs.conf file to the transforms.conf file on the indexer. This might be easier to maintain in the future as well.