Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I merge _meta from several inputs.conf files

cwacha
Path Finder
‎06-06-2011 02:47 AM

I use the universal forwarders ability to enrich the transported files with _meta keywords as follows:

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = key1::value key2::value

I also have global key/value pairs for _meta that I would like to add automatically to all monitor stanzas. They are defined in

./system/local/inputs.conf

[default]
  _meta = globalkey::value

The globalkey keyword gets added to all monitor stanzas that do not define a specific _meta keyword. I would like to have the globalkey keyword as well as the additionally defined key/value pairs in the apps inputs.conf defined. Unfortunately the _meta field in apps/../inputs.conf overwrites the system/local/inputs.conf _meta entry.

Is it possible to append the global keywords (defined in ./system/local/) to the defined _meta tag (defined in ./apps/local/inputs.conf) ?.

For example with a configuration as follows using $_meta:

./system/local/inputs.conf

[default]
  _meta = globalkey::value

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = $_meta key1::value key2::value
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-06-2011 08:29 AM

I don't think it is possible to merge entries from inputs.conf in the manner your describing here. The way precedence works is to take the stanza and do merging based on the settings. The setting with the highest priority is what is taken into account. Other settings will be ignored.

You can probably do this with a props/transforms configuration on the stanzas where you want this to occur.

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-07-2011 07:56 AM

The universal forwarder can't do much in the way of parsing, but you can do it at the indexer that the UF is reporting into without any problem.

0 Karma
Reply

cwacha
Path Finder
‎06-07-2011 01:19 AM

As fas as I know props/transforms cannot be used with the universal forwarder...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...