Hello,

I've been looking through documentation and other answers, and would like some ideas on our specific use case.

Essentially, we have 1 Search Head, 1 Indexer, a dozen Heavy Forwarders, and each Heavy Forwarder has an arbitrary and continuously changing number of UFs sending them data. All running 6.7.7.

We are in a situation where we would like to deploy conf files to heavy forwarders/indexer/search head as needed, so we can identify which heavy forwarder each event has passed through. Ideally we would do this without affecting the current parsing happening to the events, which means I'm not comfortable altering the _raw (as I've seen mentioned in some answers) by appending information to the _raw at the Heavy Forwarders, and then extracting the field at index time onto indexers, or search time at search heads.

Looking at suggestions on this post, I have a couple questions: https://answers.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forward...

What would adding this to inputs.conf on a Heavy Forwarder do for us? Is this useful?

[default]
disabled = 0
_meta = Terminal::1

Perhaps instead something like, on the Heavy Forwarder inputs.conf:

[default]
location = mylocation

then on Indexer, props.conf:

[default]
TRANSFORMS-location = addlocation

and transforms.conf:

[addlocation]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

Any insight and advice is greatly appreciated.
Thank you!