Getting Data In
Highlighted

Are "_meta"-entries still supported in inputs.conf?

Engager

I've configured inputs.conf on a universal forwarder with

[monitor:///somefile.log]

_meta = testkey::testvalue

[monitor:///anotherfile.log]

_meta = testkey::testvalue

[monitor:///yetanotherfile.log]

_meta = testkey::anothervalue

and added an entry to fields.conf on the indexer:

[testkey]

INDEXED=true

This works perfectly fine (I can use the testkey field in searches) , but the forwarder complains of a "possible typo", and I can find no reference to the "_meta" notation in the current documentation. Is this an "undocumented feature" that may disappear? Is there an alternative way to mark events for a monitored file with no other dependencies or side effects? (I'd like to keep the standard use of the source, sourcetype, and host fields, independent of the "categorization" that I implement with _meta).

Highlighted

Re: Are "_meta"-entries still supported in inputs.conf?

Splunk Employee
Splunk Employee

I believe that the documented procedure to write to the meta file using a transforms to do so is here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction

While it may be undocumented to use the _meta field in the inputs.conf file on a forwarder, this is currently still a valid method for adding metadata to your fields. Take a look at the following answer post: http://splunk-base.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forw... as it mentions this method as well.

So you may want to move the _meta field from the forwarders inputs.conf file to the transforms.conf file on the indexer. This might be easier to maintain in the future as well.

Highlighted

Re: Are "_meta"-entries still supported in inputs.conf?

Splunk Employee
Splunk Employee

The procedure in inputs.conf still works.

remarks :
- the "_meta" field was triggering a typo warning because it was not in the inputs.spec, this is fixed now.
- for modular inputs (wineventlog by example), for splunk 6.* and 6.1., the _meta fields were not passed to the indexes. This is fixed since 6.2.
- in order to make the meta fields searchable. they have to be added to the fields.conf on the search-head.
-